Use SOPS to inject secrets in Node Lambda
Managing secrets between development, production, and other environments slows down software engineering teams. Historically, to onboard into a new engineer into a new code base required that engineer to copy a peer’s .env
file and then manually keep that .env
file in sync with any future changes. This method for managing secrets hampers onboarding and requires additional effort whenever adding new required secrets to the code base: slowing down teams; instead, use SOPS.
SOPS is a tool to manage secrets through encrypted `.sops` files. SOPS files are usually encrypted through a third-party Key Management Service like AWS KSM or GCP KSM so you permit decryption through permissions inside these providers. This means that you can encrypt and commit your SOPS files to your version control system and only permitted team members will be able to decrypt those files. So as you rotate API keys, update credentials, remove secrets, etc. your entire team can pick up those changes as simple code changes without any additional overhead.
With shared and version-controlled SOPS files managing your secrets, you can setup a production user-profile in your KSM to decrypt and inject your secrets at runtime as part of your deployment pipeline, inside the code itself, or to continue to generate an untracked .env
file as part of of a local development script if you choose. .
Below is an example of using the @1mill/sops@^0.0.4
library in a Node based AWS Lambda function:
// index.js
const { SOPS } = require('@1mill/sops')// Fetch decryption keys from AWS KSM
const sops = new SOPS({
accessKeyId: 'xxxxxxxxx',
file: 'prod.secrets.sops.json',
region: 'us-east-1',
secretAccessKey: 'xxxxxxxxx',
})exports.handler = async () => {
// Parse secrets from SOPS file
const myApiKey = await sops.decrypt('MY_API_KEY')
return myApiKey
}