In my last post, I wrote about the key management system I'd worked out for one of my Twitterbots. Today I'm releasing the evolution of that project as Vinz, a credential management system for AWS Lambda applications.
Because conventional credential management best practices aren't a good match for Lambda's "serverless" programming model*, Vinz presents an alternate way of storing secrets: encrypted and secure, right alongside your application's code on disk. With Vinz, you can deploy secrets in the same bundle you upload to S3 for Lambda, and even commit encrypted secrets to your git repository and upload them to GitHub.
Vinz has two components. First, a command line interface allows you to encrypt secrets locally. Here's an example:
$> vinz --encrypt TwitterConsumerKey
vinz: Enter the secret to encrypt as 'TwitterSecretKey'. (typing hidden):
secrets/TwitterConsumerKey encrypted and saved.
Behind the scenes, Vinz uses AWS KMS and a master key you've created in your AWS account to encrypt the secret and save it to a secrets folder in your application. Then, when you want to retrieve the secret in your application:
import Vinz from 'vinz';
vinz = new Vinz('us-east-1');
vinz.get('TwitterSecretKey').then((TwitterSecretKey) => {
console.log(TwitterSecretKey);
});
Because Lambda environments are preconfigured with AWS credentials, your function code is already aware of all the auth info it needs to access your AWS account, so all you need to do is call vinz.get with the name of the secret that's in the folder.
Vinz is available on NPM and I plan to use it in a couple of my projects soon, so I'll be adding features and adjusting to feedback. If you have some, submit a pull request or get in touch.
* Conventional best practices would say to either place a configuration file alongside your application when it's deployed, place your secrets in a purpose-built container like Vault or Confidant, or use environment variables. The first is impossible as Lambda doesn't grant you access to either a permanent filesystem or to any customization of deploy/bootstrapping steps, and the second somewhat takes away from the idea of using serverless architecture. I've heard a rumor that Lambda may be adding support for setting custom environment variables soon, but until then, give Vinz a shot and let me know how you like it!