After learning AWS and Lambda, in the past few weeks I wrote Secreta, which is a set of three tools to manage configuration secrets in AWS Lambda functions.
secreta-generate-aws is a command line utility that creates a pair of keys for asymmetric key encryption, using RSA. It does so by
- running the forge module directly in an AWS Lambda function
- saving the private key directly in an AWS Parameter, encrypted and protected by an access tag
- saving the public key to a local file
secreta-encrypt is a command line utility that encrypts to a local
.secreta file the secrets referenced in your configuration files (using a public key).
secreta-decrypt-aws is a NodeJS module that you can install into your AWS Lambda function to decrypt
.secreta files in memory (using the corresponding private key, retrieved from the AWS Parameter) and merge them into the rest of the configuration, as if they had never been encrypted.
You can share the public key in your project repository. This will allow any other trusted developer (like yourself) to always have a current public key to keep encrypting configuration secrets. These could be obtained by exchanging GPG email messages, for example.
You can share the
.secreta files in your project repository. This will allow any other developer to always have current configuration secrets to keep deploying your AWS Lambda function.