- Newest
- Most votes
- Most comments
The recommended way for dealing with secrets like passwords, API Keys etc. is to store them in AWS Secrets Manager and call the secrets manager from your lambda function to get the value of the secret. You can store the ARNs of the different secrets as environment variables and use the ARN to get the actual value of the secret from your code.
Secrets Manager docs - https://docs.aws.amazon.com/secretsmanager/latest/userguide/getting-started.html
You can also find code samples in your language of choice here - https://docs.aws.amazon.com/code-samples/latest/catalog/welcome.html
You can use the Input Transformer to include the API Key only if it is part of the original event. Otherwise, the transformer has no way of getting it from anywhere.
If there a lot of API Keys and you add new ones from time to time or change the existing ones, I would not recommend using environment variables as each change requires re-deploying the function. Instead store the API keys in SSM, SecretsManager, DynamoDB or S3, and read them at function init time.
I understand your concern bout accessing all the keys when you only need one, but you will need to do that somewhere anyway, unless the API key is sent on the event itself.
Relevant content
- asked 10 months ago
- asked 4 months ago
- AWS OFFICIALUpdated 6 months ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated a year ago