Injecting secret values into event bus event through input transformer. Safe or not?


I have a lambda function which is invoked by various events incoming to event bus (alarms state changes mostly).

Within the function for each different type of event(alarm), I need to send request to different endpoint and I need different API_KEY for each of this endpoints. I am thinking about ways to get the API_KEY into the function. The obvious way is to use env variables but:

  1. There would be a lot of env variables.
  2. Each lambda invocation has access to API_KEYs which are not relevant for that invocation, which I do not like.

The other option I have considered is to use event bus input transformer for injecting API_KEY into invocation. This way I can assure that each invocation only receives the correct API_KEY.

The question is: Is this OK or frowned upon? I do not see much more security risk compared to having the API_KEYs stored within env variables of a function but I might be wrong.

asked a year ago216 views
2 Answers

The recommended way for dealing with secrets like passwords, API Keys etc. is to store them in AWS Secrets Manager and call the secrets manager from your lambda function to get the value of the secret. You can store the ARNs of the different secrets as environment variables and use the ARN to get the actual value of the secret from your code.

Secrets Manager docs -

You can also find code samples in your language of choice here -

profile pictureAWS
answered a year ago
Accepted Answer

You can use the Input Transformer to include the API Key only if it is part of the original event. Otherwise, the transformer has no way of getting it from anywhere.

If there a lot of API Keys and you add new ones from time to time or change the existing ones, I would not recommend using environment variables as each change requires re-deploying the function. Instead store the API keys in SSM, SecretsManager, DynamoDB or S3, and read them at function init time.

I understand your concern bout accessing all the keys when you only need one, but you will need to do that somewhere anyway, unless the API key is sent on the event itself.

profile pictureAWS
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions