AWS Lambda NodeJS Request using Certificate, Private Key and CA

Question

To connect to a specific API we need to include a certificate, the private key and a CA from a NodeJS function deployed to AWS Lambda.

In test environments we can just use the fs.readFileSync to a local path on the test server but this doesn't apply of course in AWS Lambda.

Our call is as follows:

return request({
      method: args.method,
      uri: this.baseUrl,
      headers: {
        "User-Agent": "XXXX-Wrapper"
      },
      form: this.queryParams,
      json: false,
      cert: this.cert,
      key: this.key,
      ca: this.ca
    }, callback);

Is there a way to read the certificate information from either a AWS KMS or is the only way to upload these certificates to a private S3 bucket and read them from there?

We've also tried to store the raw certificates in the Parameter Store as encrypted values and read them from there as NodeJS process variables but this didn't seem to work.

Answer 1

There are probably better ways but we've decided to place the certificates in a secure bucket with strict access and object locking controls.

Within the TypeScript / NodeJS lambda we can now just initiate the S3 client and perform a request like this

const cert = await S3.getFile(Config.get('...'), 'certificate.crt')
const key = await S3.getFile(Config.get('...'), 'private.key')
const ca = await S3.getFile(Config.get('...'), Config.get('ca_path'))

return request({
      method: args.method,
      uri: this.baseUrl,
      headers: {
        ....
      },
      form: formData,
      json: false,
      cert:cert,
      key:key,
      ca:ca
}, callback);

The S3 service is just a wrapper around the aws-node library.