How to add environment variables in template.yaml in a secured way?

Question

When creating Lambda function through the SAM CLI using template.yaml, I have to pass few environment variables, and they shouldn't be exposed on GitHub. Is there any way I can refer the environment variables in template.yaml through the .env file?

I didnt find any sources for the same.

Sample code snippet from template.yaml:

Properties:
  CodeUri: student /
  FunctionName: list
  Handler: index.listHandler
  Runtime: nodejs14.x
  Environment: 
    Variables:
      MONGODB_URI: mongodb://username:pwd

Answer 1

A way to do this without having to use aws secrets manager will be using the "Parameters" section in template.yaml with an env.json file which you can omit from git like you would for a regular .env file

Here's a sample template.yaml

AWSTemplateFormatVersion: "2010-09-09"
Transform: AWS::Serverless-2016-10-31
Description: >
sample aws sam application with env variables

Parameters:
  EnvVarOne:
    Type: String
    Description: Sample environment variable
    Default: one
  EnvVarTwo:
    Type: String
    Description: Sample environment variable
    Default: two

Globals:
 Function:
   Timeout: 5
   MemorySize: 128
   Environment:
     Variables:
       EnvVarOne: !Ref EnvVarOne
       EnvVarTwo: !Ref EnvVarTwo

Then your env.json file would look like this

{
  "Parameters": {
    "EnvVarOne": "your-env-var-one",
    "EnvVarTwo": "your-env-var-two"
  }
}

So now when you want to test locally, all you need to do is pass in the --env-vars env.json flag to your commands. Example:

sam local start-api --env-vars env.json

Unfortunately, the --env-vars flag and env.json file doesn't work for production deployment (sam deploy) command. In order to pass in environment variables on deploy, you'll need to use --parameter-overrides with the sam deploy command like this:

sam deploy --parameter-overrides EnvVarOne=your-env-var-one

Answer 2

By extension of @Jason's answer 2. here a full working example:

template.yaml

AWSTemplateFormatVersion: "2010-09-09"
Transform: AWS::Serverless-2016-10-31
Description: My test secrets manager dynamic reference SAM template/ Cloudformation stack

Resources:
  # lambdas
  myLambda:
    Type: AWS::Serverless::Function
    Properties:
      FunctionName: !Sub ${AWS::StackName}-myLambda
      Runtime: nodejs12.x
      Handler: index.handler
      CodeUri: ./src/handlers/myLambda
      MemorySize: 128
      Timeout: 10
      Environment:
        Variables:
          someSecret: '{{resolve:secretsmanager:somePreviouslyStoredSecret}}'

src/handlers/myLambda/index.js

const { someSecret } = process.env;

exports.handler = (event, context, callback) => {
    if (someSecret) callback(null, `secret: ${someSecret}`);
    callback(`Unexpected error, secret: ${someSecret}`);
};

Answer 3

There are few options here.

1. Add them to the Parameters section of the template (be sure to add the NoEcho option) and pass them in at the time of deploying.
2. A slightly better option is to use Secrets Manager to store the value and then use dynamic references in the template. CloudFormation will retrieve the values from Secrets Manager for you, at the time you deploy.
3. A better option is to not pass them as environment variables at all (since anyone with permissions to view the function will be able to see the value). Instead, use Secrets Manager to store the value and look up the value in the code. If you decide to use this approach be sure to cache the value so that you can at least reuse it between warm starts of the lambda.
4. One more option is to encrypt the value using KMS, and pass in the encrypted (Base64 encoded) value to the function. You'll need to call KMS decrypt to get the decrypted value. This operation is pretty fast, and isn't likely to be throttled. I would still cache the value to help speed things up between warm starts.