How do I provide configuration parameters like database credentials in Amazon Lambda?

Question

How do I provide configuration parameters like database credentials to my Java AWS Lambda functions?

Should I simply store them in a properties file and load them from the jar? If so, how can I distinguish between development and runtime configurations?

Answer 1

There are several options available depending on what system you are trying to access and how secure you need to keep your credentials.

The most important thing to do, is if you need AWS credentials in your Lambda function you should be using an AWS Role. That means you do not need to hard code credentials, just make calls using the AWS client library and it will work.

If you need to pull in other secrets or configuration you can store them in DynamoDB or in S3. You would use an AWS Role to grant access to read this information. If security is really important you could encrypt this information using KMS for an added layer of security. If you are reading data from S3 or DynamoDB I would recommend you cache this for an appropriate amount of time (the lifetime of the Lambda function is a good choice since instances tend to not live more than 15 minutes in my experience) to avoid unnecessary requests to DynamoDB or S3.

When it comes to the code distinguishing what environment it is in, I assume you are talking about separate Lambda functions. For this you could bake the environment assignment into the artifact that you build or you could have the code look at the Lambda function's name to determine what environment it is in.