How to suppress aws lambda cli output

Question

I want to use aws lambda update-function-code command to deploy the code of my function. The problem here is that aws CLI always prints out some information after deployment. That information contains sensitive information, such as environment variables and their values. That is not acceptable as I'm going to use public CI services, and I don't want that info to become available to anyone. At the same time I don't want to solve this by directing everything from AWS command to /dev/null for example as in this case I will lose information about errors and exceptions which will make it harder to debug it if something went. What can I do here?

p.s. SAM is not an option, as it will force me to switch to another framework and completely change the workflow I'm using.

Answer 1

Here is a solution that doesn't require installing any tools and works on mac and linux that will only print output if there was an error:

create a file named: update_lambda_function.sh:

#!/bin/bash

# Run the command and capture the output
output=$(aws lambda update-function-code --function-name=YOUR_FUNCTION --zip-file=fileb://function.zip 2>&1)

# Check if the command was successful
if [ $? -ne 0 ]; then
    # The command failed, print the output
    echo "Error: $output"
fi

Before you can run the script, you'll need to make it executable. You can do this with the chmod command in your terminal:

chmod +x update_lambda_function.sh

After that, you can run your script like this:

./update_lambda_function.sh

Answer 2

Lambda environment variables show themselves everywhere and cannot considered private. If your environment variables are sensitive, you could consider using aws secret manager.

In a nutshell:

• create a secret in the secret store. It has a name (public) and a value (secret, encrypted, with proper user access control)
• Allow your lambda to access the secret store
• In your lambda env, store the name of your secret, and tell your lambda to get the corresponding value at runtime
• bonus: password rotation is made super easy, as you don't even have to update your lambda config anymore

Answer 3

You could target the output you'd like to suppress by replacing those values with jq

For example if you had output from the cli command like below:

{
  "FunctionName": "my-function",
  "LastModified": "2019-09-26T20:28:40.438+0000",
  "RevisionId": "e52502d4-9320-4688-9cd6-152a6ab7490d",
  "MemorySize": 256,
  "Version": "$LATEST",
  "Role": "arn:aws:iam::123456789012:role/service-role/my-function-role-uy3l9qyq",
  "Timeout": 3,
  "Runtime": "nodejs10.x",
  "TracingConfig": {
      "Mode": "PassThrough"
  },
  "CodeSha256": "5tT2qgzYUHaqwR716pZ2dpkn/0J1FrzJmlKidWoaCgk=",
  "Description": "",
  "VpcConfig": {
      "SubnetIds": [],
      "VpcId": "",
      "SecurityGroupIds": []
  },
  "CodeSize": 304,
  "FunctionArn": "arn:aws:lambda:us-west-2:123456789012:function:my-function",
  "Handler": "index.handler",
  "Environment": {
    "Variables": {
      "SomeSensitiveVar": "value",
      "SomeOtherSensitiveVar": "password"
    }
  }
}

You might pipe that to jq and replace values only if the keys exist:

aws lambda update-function-code <args> | jq '
  if .Environment.Variables.SomeSensitiveVar? then .Environment.Variables.SomeSensitiveVar = "REDACTED" else . end |
  if .Environment.Variables.SomeRandomSensitiveVar? then .Environment.Variables.SomeOtherSensitiveVar = "REDACTED" else . end'

You know which data is sensitive and will need to set this up appropriately. You can see the example of what data is returned in the cli docs and the API docs are also helpful for understanding what the structure can look like.