AWS Lambda: How to store secret to external API?

Question

I'm building a monitoring tool based on AWS Lambda. Given a set of metrics, the Lambdas should be able to send SMS using Twilio API. To be able to use the API, Twilio provide an account SID and an auth token.

How and where should I store these secrets?

I'm currently thinking to use AWS KMS but there might be other better solutions.

Answer 1

You can do it like this using AWS KMS. Follow the steps below:

1. Using this documentation create your KMS key: Create Keys

2. Using AWS CLI, you can encrypt your secret and put it into a file:

aws kms encrypt --key-id some_key_id --plaintext "This is the scret you want to encrypt" --query CiphertextBlob --output text | base64 -D > ./encrypted-secret

3. Then upload this file as a part of your Lambda function. You can decrypt the secret and use it.

var fs = require('fs');

var AWS = require('aws-sdk');

var kms = new AWS.KMS({region:'eu-west-1'});

var secretPath = './encrypted-secret';

var encryptedSecret = fs.readFileSync(secretPath);

var params = {

  CiphertextBlob: encryptedSecret

};

kms.decrypt(params, function(err, data) {

  if (err) console.log(err, err.stack);

  else {

    var decryptedSecret = data['Plaintext'].toString();

    console.log(decryptedSecret);

  }

});