Reputation: 193
AWS Lambda: How To Remove Environmental Variables from Configuration
I have a lambda function that used to use encrypted environmental variables set in the lambda configuration but I no longer need them. I tried removing the env variable in the UI and it no longer shows up but still seeing in the logs:
"Found credentials in environment variables."
I also tried using the update-function-code command without passing an env variable which doesn't work.
Any way to remove the encrypted env variables from my lambda function configuration? I want to ensure unused/unneeded things are removed.
Thanks!
Upvotes: 11
Views: 19141
Answers (4)
Reputation: 18953
The question doesn't specify if Python or boto3 is being used but an observation I have is if you are creating a client in your lambda script like this:
client = boto3.client('s3')
I believe this is the moment when the logging happens.
If you were to define actual credentials:
access_key = os.getenv('ACCESS_KEY')
secret_key = os.getenv('SECRET_KEY')
client = boto3.client('s3', aws_access_key_id=access_key, aws_secret_access_key=secret_key)
It doesn't need to "find" them in the environment.
Upvotes: 0
Reputation: 21939
The log message is coming from the "botocore" logger.
This will effectively suppress that message and others from boto3:
logging.getLogger("boto3").setLevel(logging.WARNING)
logging.getLogger("botocore").setLevel(logging.WARNING)
Upvotes: 9
Reputation: 149
I know it's a little late to this, but here is my understanding.
The statement "Found credentials in environment variables." does not have anything to do with the environment variables you configured. Apparently, Lambda has a set of reserved environment variables and when your code tries to connect to other AWS services (like S3, SNS etc), Lambda tries to read the credentials from reserved environment variables to make a connection to the other service and in the process logs the statement about where it found the credentials to "stdout"
According to this article, when you have a logger configured with INFO level, then all the .info() statements by your code and the AWS SDK will be logged to "stdout" and thereby ending up in CloudWatch logs. Try setting the logger level to WARNING and observe the logs.
Upvotes: 6
Reputation: 129
I believe it is a standard output from the inner workings of python lambdas that use boto. None of my python Lambdas have credentials and yet I have the same message in all logs of python lambdas.
Upvotes: 12
Related Questions
- aws cli lambda `update-function-configuration` deletes existing environment variables
- Serverless lambda Global Environmental Variables
- How to add an environment variable to AWS Lambda without removing what's there?
- How can I use environmental variables on AWS Lambda?
- Hide environment variables from AWS Lambda Console
- Remove environment variables configured for lambda via C#
- Is there a way to modify environment variable in AWS Lambda?
- How to set environment variables in AWS lambda using Python
- Blank environment variables in AWS Lambda
- Disable AWS Lambda Environment Variables