Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add direct support for Amazon secrets manager #1305

Open
simsong opened this issue Feb 15, 2024 · 5 comments
Open

Add direct support for Amazon secrets manager #1305

simsong opened this issue Feb 15, 2024 · 5 comments

Comments

@simsong
Copy link

simsong commented Feb 15, 2024

Feature Request: Add direct support for Amazon secrets manager

Expected Behavior

It would be useful to be able to document the ARN of desired Amazon Secrets that the Lambda function should have access to. Many lambda functions need secrets, and this should be controls through the zappa configuration.

Actual Behavior

Right now we need to add each secret manually.

Possible Fix

  1. Put the secret's ARN in the json file.
  2. Have Zappa automatically update the appropriate policy. There are several ways to do this, it turns out. The easiest I have found is to add it to the role that Zappa creates.
@van4oza
Copy link

van4oza commented Mar 5, 2024

Up! I would love to map secrets to env vars instead of exposing them in settings.json

@ivan-trustek
Copy link

Something like that would be great

{{resolve:secretsmanager:${secretName}:SecretString:password}

https://github.com/awsdocs/aws-lambda-developer-guide/blob/07fa19fba08e75d549fbfa7131bc57e3f41df018/sample-apps/rds-mysql/template.yml#L44

@simsong
Copy link
Author

simsong commented Mar 5, 2024

Right now this is how I'm adding AWS secrets to my zappa_config.json file:

        "environment_variables": {
            "AWS": "YES",
            "DBREADER":"arn:aws:secretsmanager:us-east-1:376778041234:secret:dbreader_prod-734s,
            "DBWRITER":"arn:aws:secretsmanager:us-east-1:376778041234:secret:dbwriter_prod-akana",
        }

I would like to see Zappa do something along these lines:

        "aws_secrets": 
            ["arn:aws:secretsmanager:us-east-1:376778041234:secret:dbreader_prod-734s",
             "arn:aws:secretsmanager:us-east-1:376778041234:secret:dbwriter_prod-akana"],

Zappa would then automatically make sure that the IAM Role that it creates has access to the two ARNs.

@ivan-trustek
Copy link

@simsong but this way you are just passing ARN to the env, these secrets aren't resolving to actual values?

I'm lookin for the option to pull resolved secrets.

@simsong
Copy link
Author

simsong commented Mar 7, 2024

Once you have the ARN you can pull the secret pretty easily. Here is the code I use:

        SECRETSMANAGER = 'secretsmanager'
        secret_name = os.path.expandvars(section[AWS_SECRET_NAME])
        region_name = os.path.expandvars(section[AWS_REGION_NAME])
        session = boto3.session.Session()
        client = session.client( service_name=SECRETSMANAGER,
                                 region_name=region_name)
        try:
            get_secret_value_response = client.get_secret_value( SecretId=secret_name )
        except ClientError as e:
            raise SecretsManagerError(e)
        secret = json.loads(get_secret_value_response['SecretString'])

The ARN is your key to unlocking the secrets! But role under which the Lambda is running needs access to either the specific ARN, or else all ARNs within the secrets manager. This is a pain to set up, and it changes frequently, so tit would be nice for Zappa to automate the creation of the AWS authorizations. I was not suggesting that Zappa get the secret out of the Secrets Manager and put the secret in into the environment.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@simsong @van4oza @ivan-trustek