Added lambda secrets example (#1290)

pierskarsenbarg · web-flow · commit 7b4d05d4b10d · 2025-03-21T10:25:51.000Z
This pull request includes several important changes to the
`aws-ts-lambda-secrets` project, aimed at adding functionality for
securely managing secrets in AWS Lambda functions. The most significant
changes include updates to configuration files, the addition of a README
with detailed instructions, and the implementation of the Lambda
function itself.

### Configuration and Setup:

*
[`aws-ts-lambda-secrets/.gitignore`](diffhunk://#diff-ff0c423a810cb3967f98f8292eae57875a153f3fe43dc8a1f7d873b44b4c4f22R1-R2):
Added `/bin/` and `/node_modules/` to ignore list to prevent tracking
build and dependency files.
*
[`aws-ts-lambda-secrets/Pulumi.yaml`](diffhunk://#diff-dfedf6b88d86811458ea6e89da6e96e36fd6f3e98acc2f182305510969617dcbR1-R3):
Added project metadata including name, description, and runtime.
*
[`aws-ts-lambda-secrets/package.json`](diffhunk://#diff-714d06d25653a83a5b0550f348966f9e7d21dcd261f289c264a6a70097e5b374R1-R11):
Defined project dependencies and development dependencies for Pulumi and
AWS SDKs.
*
[`aws-ts-lambda-secrets/tsconfig.json`](diffhunk://#diff-3147e9ffca0ab0d3c507a40f39e4730fd0dcf028eef9dcee591880742102237eR1-R19):
Configured TypeScript compiler options for the project.

### Documentation:

*
[`aws-ts-lambda-secrets/README.md`](diffhunk://#diff-3b4654cf63bd221fa0aa3a4a7e0bb5755c1424840f65d257bfed5f35cc49ac71R1-R102):
Added comprehensive instructions for setting up, configuring, deploying,
and cleaning up the AWS Lambda function with secrets management.

### Lambda Function Implementation:

*
[`aws-ts-lambda-secrets/app/index.js`](diffhunk://#diff-32a85a3f75357c8a8ffb8dd2c4315c864724440e2e4c40631dee1d0974a23f27R1-R20):
Implemented the Lambda function to retrieve and use secrets from AWS
Secrets Manager.
*
[`aws-ts-lambda-secrets/app/package.json`](diffhunk://#diff-261b8e969067ee707cd31b30a140cdde8b7d6d711627df3110aa34236bfb25efR1-R16):
Added dependencies for the AWS SDK to interact with Secrets Manager.
*
[`aws-ts-lambda-secrets/index.ts`](diffhunk://#diff-d415fe4b5b0f46270f2119f6225cf6bb8f0bf38af9a1421e7638f29654d829a9R1-R89):
Defined the Pulumi infrastructure code to create and manage AWS
resources, including secrets, IAM roles, and the Lambda function.
diff --git a/aws-ts-lambda-secrets/.gitignore b/aws-ts-lambda-secrets/.gitignore
@@ -0,0 +1,2 @@
+/bin/
+/node_modules/
diff --git a/aws-ts-lambda-secrets/Pulumi.yaml b/aws-ts-lambda-secrets/Pulumi.yaml
@@ -0,0 +1,3 @@
+name: aws-ts-lambda-secrets
+description: A minimal AWS TypeScript Pulumi program
+runtime: nodejs
diff --git a/aws-ts-lambda-secrets/README.md b/aws-ts-lambda-secrets/README.md
@@ -0,0 +1,102 @@
+[![Deploy](https://get.pulumi.com/new/button.svg)](https://app.pulumi.com/new)
+
+# Lambd secrets
+
+Storing stack secrets securely and accessing them in a Lambda Function
+
+You can find a post describing the code on the [Pulumi blog](https://pulumi.com/blog/safe-lambda-secrets/).
+
+## Running the App
+
+1.  Create a new stack:
+
+    ```
+    pulumi stack init dev
+    ```
+
+1.  Configure Pulumi to use an AWS region of your choice, for example:
+
+    ```
+    pulumi config set aws:region us-west-2
+    ```
+
+1.  Restore NPM modules via `npm install` or `yarn install`.
+
+1. Add values to your stack config, both secret and plaintext:
+
+```bash
+pulumi config set --path 'lambdawithsecrets.envvars["envvar1"]' envvar1value
+pulumi config set --path 'lambdawithsecrets.envvars["envvar2"]' envvar2value
+pulumi config set --path 'lambdawithsecrets.secrets["secret1"]' secretvalue1 --secret
+pulumi config set --path 'lambdawithsecrets.secrets["secret2"]' secretvalue2 --secret
+```
+
+1.  Preview and deploy the app via `pulumi up`. 
+
+    ```
+    $ pulumi up
+    Previewing update (dev)
+
+    View Live: https://app.pulumi.com/acmecorp/lambda-secrets/dev/previews/209f07fb-190d-4596-af9f-d2d72e9c5cc9
+
+        Type                                 Name                   Plan
+    +   pulumi:pulumi:Stack                  lambda-secrets-dev     create
+    +   ├─ aws:secretsmanager:Secret         secret1                create
+    +   ├─ aws:secretsmanager:Secret         secret2                create
+    +   ├─ aws:iam:Role                      roleLambdaWithSecrets  create
+    +   ├─ aws:secretsmanager:SecretVersion  secretversion-secret2  create
+    +   ├─ aws:secretsmanager:SecretVersion  secretversion-secret1  create
+    +   ├─ aws:iam:Policy                    secretsPolicy          create
+    +   ├─ aws:iam:RolePolicyAttachment      rpa-basic              create
+    +   ├─ aws:iam:RolePolicyAttachment      rpa-secrets            create
+    +   └─ aws:lambda:Function               lambdaWithSecrets      create
+
+    Outputs:
+        lambdaName: "lambdaWithSecrets-b8ac5e9"
+
+    Resources:
+        + 10 to create
+
+    Do you want to perform this update? yes
+    Updating (dev)
+
+    View Live: https://app.pulumi.com/acmecorp/lambda-secrets/dev/updates/1
+
+        Type                                 Name                   Status
+    +   pulumi:pulumi:Stack                  lambda-secrets-dev     created
+    +   ├─ aws:secretsmanager:Secret         secret1                created
+    +   ├─ aws:secretsmanager:Secret         secret2                created
+    +   ├─ aws:iam:Role                      roleLambdaWithSecrets  created
+    +   ├─ aws:secretsmanager:SecretVersion  secretversion-secret2  created
+    +   ├─ aws:secretsmanager:SecretVersion  secretversion-secret1  created
+    +   ├─ aws:iam:Policy                    secretsPolicy          created
+    +   ├─ aws:iam:RolePolicyAttachment      rpa-basic              created
+    +   ├─ aws:lambda:Function               lambdaWithSecrets      created
+    +   └─ aws:iam:RolePolicyAttachment      rpa-secrets            created
+
+    Outputs:
+        lambdaName: "lambdaWithSecrets-ca62cf8"
+
+    Resources:
+        + 10 created
+
+    Duration: 24s
+    ```
+
+1.  Invoke the Lambda Function:
+
+    ```
+    aws lambda invoke --function-name $(pulumi stack output lambdaName) /dev/stdout
+    ```
+
+    You should see the output as the secret values you added:
+
+    ```
+    {"secret1":"secret1value","secret2":"secret2value"}
+    ```
+
+1. You can view the environment variables containing the plaintext values and the secret ARNs in the details of the Lambda Function in the AWS Console.
+
+## Clean up
+
+To clean up the resources, you will need to run `pulumi destroy` and answer the confirmation question at the prompt.
diff --git a/aws-ts-lambda-secrets/app/index.js b/aws-ts-lambda-secrets/app/index.js
@@ -0,0 +1,20 @@
+import { SecretsManagerClient, GetSecretValueCommand } from "@aws-sdk/client-secrets-manager"; // ES Modules import
+const client = new SecretsManagerClient();
+
+const getSecretForLambda = async (secretId) => {
+    const input = { "SecretId": secretId };
+    const command = new GetSecretValueCommand(input);
+    console.log('Retrieving secret during top-level await');
+    return await client.send(command);
+}
+
+const secret1 = getSecretForLambda(process.env.SECRET1);
+const secret2 = getSecretForLambda(process.env.SECRET2)
+
+export async function handler() {
+    console.log('Using secret in handler')
+    return {
+        secret1: (await secret1).SecretString,
+        secret2: (await secret2).SecretString,
+    };
+};
diff --git a/aws-ts-lambda-secrets/app/package.json b/aws-ts-lambda-secrets/app/package.json
@@ -0,0 +1,16 @@
+{
+  "name": "app",
+  "version": "1.0.0",
+  "description": "",
+  "main": "index.js",
+  "scripts": {
+    "test": "echo \"Error: no test specified\" && exit 1"
+  },
+  "keywords": [],
+  "author": "",
+  "license": "ISC",
+  "dependencies": {
+    "@aws-sdk/client-secrets-manager": "^3.183.0"
+  },
+  "type": "module"
+}
diff --git a/aws-ts-lambda-secrets/index.ts b/aws-ts-lambda-secrets/index.ts
@@ -0,0 +1,89 @@
+// Copyright 2016-2022, Pulumi Corporation.  All rights reserved.
+
+import * as aws from "@pulumi/aws";
+import * as pulumi from "@pulumi/pulumi";
+
+interface LambdaConfig {
+    envvars: string[];
+    secrets: pulumi.Output<string>[];
+}
+
+const config = new pulumi.Config();
+const lambdaconfig = config.requireObject<LambdaConfig>("lambdawithsecrets");
+
+const secretsArnArray: pulumi.Output<string>[] = new Array();
+const secretArray: aws.secretsmanager.Secret[] = new Array();
+for (const key in lambdaconfig.secrets) {
+    if (lambdaconfig.secrets.hasOwnProperty(key)) {
+        const secret = new aws.secretsmanager.Secret(`${key}`);
+        const secretVersion = new aws.secretsmanager.SecretVersion(`secretversion-${key}`, {
+            secretId: secret.id,
+            secretString: lambdaconfig.secrets[key],
+        });
+        secretArray.push(secret);
+        secretsArnArray[key.toLocaleUpperCase()] = secret.id;
+    }
+}
+
+const role = new aws.iam.Role("roleLambdaWithSecrets", {
+    assumeRolePolicy: aws.iam.assumeRolePolicyForPrincipal(aws.iam.Principals.LambdaPrincipal),
+});
+
+const rpaBasic = new aws.iam.RolePolicyAttachment("rpa-basic", {
+    role: role,
+    policyArn: aws.iam.ManagedPolicy.AWSLambdaBasicExecutionRole,
+});
+
+
+
+const secretManagerPolicyDoc = aws.iam.getPolicyDocumentOutput({
+    statements: [
+        {
+            effect: "Allow",
+            actions: [
+                "secretsmanager:GetSecretValue",
+            ],
+            resources: secretArray.map(x => pulumi.interpolate`${x.arn}`),
+        },
+    ],
+});
+
+const secretManagerPolicy = new aws.iam.Policy("secretsPolicy", {
+    policy: secretManagerPolicyDoc.apply(doc => doc.json),
+});
+
+const rpaSecrets = new aws.iam.RolePolicyAttachment("rpa-secrets", {
+    role: role,
+    policyArn: secretManagerPolicy.arn,
+});
+
+const lambdaEnvVars: pulumi.Input<{
+    [key: string]: pulumi.Input<string>;
+}> = {};
+
+for (const key in secretsArnArray) {
+    if (secretsArnArray.hasOwnProperty(key)) {
+        lambdaEnvVars[key] = secretsArnArray[key];
+    }
+}
+
+for (const key in lambdaconfig.envvars) {
+    if (lambdaconfig.envvars.hasOwnProperty(key)) {
+        lambdaEnvVars[key.toLocaleUpperCase()] = lambdaconfig.envvars[key];
+    }
+}
+
+const lambda = new aws.lambda.Function("lambdaWithSecrets", {
+    code: new pulumi.asset.AssetArchive({
+        ".": new pulumi.asset.FileArchive("./app"),
+    }),
+    role: role.arn,
+    handler: "index.handler",
+    runtime: aws.lambda.Runtime.NodeJS16dX,
+    environment: {
+        variables: lambdaEnvVars,
+    },
+    timeout: 15,
+});
+
+export const lambdaName = lambda.name;
diff --git a/aws-ts-lambda-secrets/package.json b/aws-ts-lambda-secrets/package.json
@@ -0,0 +1,11 @@
+{
+    "name": "aws-ts-lambda-secrets",
+    "main": "index.ts",
+    "devDependencies": {
+        "@types/node": "^14"
+    },
+    "dependencies": {
+        "@pulumi/pulumi": "^3.0.0",
+        "@pulumi/aws": "^5.0.0"
+    }
+}
diff --git a/aws-ts-lambda-secrets/tsconfig.json b/aws-ts-lambda-secrets/tsconfig.json
@@ -0,0 +1,19 @@
+{
+    "compilerOptions": {
+        "strict": true,
+        "outDir": "bin",
+        "target": "es2016",
+        "module": "commonjs",
+        "moduleResolution": "node",
+        "sourceMap": true,
+        "experimentalDecorators": true,
+        "pretty": true,
+        "noFallthroughCasesInSwitch": true,
+        "noImplicitReturns": true,
+        "forceConsistentCasingInFileNames": true,
+        "suppressImplicitAnyIndexErrors": true
+    },
+    "files": [
+        "index.ts"
+    ]
+}

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+name: aws-ts-lambda-secrets`
	`2`	`+description: A minimal AWS TypeScript Pulumi program`
	`3`	`+runtime: nodejs`