This is a hello world sample python application created with AWS SAM CLI to demonstrate lambda secret injector.
- Install AWS CLI, SAM CLI and docker.
- Create a secret in AWS Secret Manager. Add two key/value pairs, e.g.
{"username":"admin","password":"1qaz2wsx#EDC"} - Take note of the secret ARN
- Add two environment variables for these two secrets. Checkout the SAM Template file for example.
DB_USERNAME: !Sub "{{inject:secretsmanager:${SecretArn}:SecretString:username}}"
DB_PASSWORD: !Sub "{{inject:secretsmanager:${SecretArn}:SecretString:password}}"- Add a layer with secrets injector and a wrapper script. Checkout the SAM Template file for example.
- In the lambda handler, these environment variables are updated with secret values. And you can use them directly in your code.
return {
"statusCode": 200,
"body": json.dumps({
"DB_USERNAME": os.getenv("DB_USERNAME"),
"DB_PASSWORD": os.getenv("DB_PASSWORD"),
}),
}sam build --use-container
sam deploy --guidedProvide the secret ARN when SAM CLI asks for Parameter SecretArn.
When the deployment completes, curl the HelloWorldApi's url in the output. You should see the secrets' values.
% curl https://xxxxxxxx.execute-api.ap-northeast-1.amazonaws.com/Prod/
{"DB_USERNAME": "admin", "DB_PASSWORD": "1qaz2wsx#EDC"}And on Lambda environment variable page, the secrets' values are not exposed.
Add a new Lambda environment variable: RUST_LOG=debug. This will enable debug logging for the tool.
Checkout the wrapper script to see how things are wired together. For more details about wrapper script, please read Lambda documentation here.