serverless-aws-secrets

Serverless plugin that reads environment variables and replaces secrets usi...

README

serverless-aws-secrets


Introduction


If you are using a serverless plugin like Serverless Dotenv Plugin, then you shall be having.env.* files that looks like:

  1. ```
  2. MYSQL_USERNAME=username
  3. MYSQL_PASSWORD=password
  4. ```

Rather than storing these secrets in your .env.* file, you can instead store them in AWS Secrets Manager. This plugin will then replace the environment variables (that are already loaded into Serverless framework) with the secrets from AWS Secrets Manager.

You need to change your above .env.* files to:

  1. ```
  2. MYSQL_USERNAME=secret:MYSQL_USERNAME
  3. MYSQL_PASSWORD=secret:MYSQL_PASSWORD
  4. ```

The plugin will then search within AWS Secrets Manager (refer to secretId configuration) for a secret with the name MYSQL_USERNAME and MYSQL_PASSWORD and replace the environment variables with the secret value.

Secrets are recognized as environment variables whose name started with a pre-defined prefix. (refer to secretPrefix configuration below).

Getting Started


These instructions will help you integrate this plugin into your serverless service.

Prerequisites


You need to have the below softwares running on your system:

Node.js v18 - You can use NVM to setup Node.js in your system
Git - You can download from here
Serverless - Refer here on how to get started

Installing the plugin


Run below command to install the plugin:

  1. ```
  2. $ npm install --save-dev serverless-aws-secrets
  3. ```

Add the plugin to serverless.yml:

  1. ```
  2. plugins:
  3.   - serverless-aws-secrets
  4. ```

This will run the plugin during the below serverless hooks:
before:package:initialize
offline:start:init

Configuring the plugin


The plugin can be configured by:

  1. ```
  2. custom:
  3.   serverless-aws-secrets:
  4.     secretId: ...
  5.     secretPrefix: ...
  6. ```

secretId: Location of the secret in AWS Secrets Manager. Default: ${provider.stage}/${app}-${service}

secretPrefix: Prefix of the secret name in AWS Secrets Manager. Default: secret:

CLI commands


This plugin also exposes a CLI command that can be used along with serverless.

Display the secret values


  1. ```
  2. $ sls aws-secrets --verbose
  3. ```

This will display the output:

  1. ```
  2. [serverless-aws-secrets]: Running the command: sls aws-secrets
  3. [serverless-aws-secrets]: Loading secret: {secretId} in {provider.region}
  4. [serverless-aws-secrets]: Secret: {secretKey}, Value: {secretValue}
  5. ```

Local Development


These instructions will help you to run the project in your local.

Setup


Run the below commands to setup the project:

  1. ```
  2. $ git clone git@github.com:robin-thomas/serverless-aws-secrets.git
  3. $ cd serverless-aws-secrets
  4. $ nvm use 18
  5. $ npm install
  6. ```

Running the tests


You can run the unit tests written in Jest by running:

  1. ```
  2. $ npm run test
  3. ```

Versioning


We use SemVer for versioning. For the versions available, see the tags on this repository.

License


This project is licensed under the MIT License - see the LICENSE file for details.