serverless-crypt
Description
Securing the secrets on Serverless Framework by AWS KMS encryption.
Requirements
- Serverless Framework 1.0 or higher
Installation
npm install serverless-crypt --save
For now (issue to track), you also need to install serverless locally:
npm install serverless --save
Configuration
serverless.yml
provider:
name: aws
runtime: nodejs4.3
# runtime: python2.7
plugins:
- serverless-crypt
custom:
cryptKeyId: ${env:AWS_KMS_KEYID}
Supported runtimes
- python2.7
- nodejs4.3
Commands
Encrypt the secret
serverless encrypt -n $SECRET_NAME -t $PLAINTEXT --save
Decrypt the secret
serverless decrypt -n $SECRET_NAME
Usage
1. Create key on KMS
See: https://docs.aws.amazon.com/kms/latest/developerguide/create-keys.html
2. Create and attach IAM policy to your serverless service role
Policy example:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"kms:Decrypt"
],
"Resource": [
"arn:aws:kms:us-east-1:<your-account-number>:key/<your-key-id>"
]
}
]
}
3. Set the key-id to your configuration file
Configuration example:
- serverless.yml
provider:
name: aws
runtime: nodejs4.3
# runtime: python2.7
functions:
hello:
handler: handler.hello
plugins:
- serverless-crypt
custom:
cryptKeyId: ${env:AWS_KMS_KEYID}
4. Encrypt and save the secret to your secret file
Command example:
serverless encrypt -n secret_name -t "This is a secret" --save
5. Write your function
** slscrypt module is automatically injected into your deployment package. **
Code example:
- Node.js
'use strict';
const slscrypt = require('slscrypt');
module.exports.hello = (event, context, callback) => {
slscrypt.get('secret_name').then((txt) => {
const response = {
statusCode: 200,
body: JSON.stringify({
message: txt,
input: event,
}),
};
callback(null, response);
});
};
- Python
import json
import slscrypt
def hello(event, context):
body = {
"message": slscrypt.get('secret_name'),
"input": event
}
response = {
"statusCode": 200,
"body": json.dumps(body)
};
return response
6. Deploy your function
Command example:
serverless deploy
or
serverless deploy function -f $FUNCTION_NAME
7. Invoke your function
Command example:
serverless invoke -f $FUNCTION_NAME
Result example:
{
"body": "{\"input\": {}, \"message\": \"This is a secret\"}",
"statusCode": 200
}
Development
- Source hosted at GitHub
- Report issues/questions/feature requests on GitHub Issues
Pull requests are very welcome! Make sure your patches are well tested. Ideally create a topic branch for every separate change you make. For example:
- Fork the repo
- Create your feature branch (
git checkout -b my-new-feature) - Commit your changes (
git commit -am 'Added some feature') - Push to the branch (
git push origin my-new-feature) - Create new Pull Request
Authors
Created and maintained by Masashi Terui (marcy9114@gmail.com)
License
MIT License (see LICENSE)
