Consider using KMS

[mthenw]

https://aws.amazon.com/kms/

With this plugin secrets are actually exposed during the deployment so I would not recommend that as a secure solution. I think that the better solution would be storing secrets in KMS and decrypting them inside lambda during cold start. We could do that with our handler function form stdlib.

[mthenw]

https://github.com/serverless/serverless/issues/472

[nikgraf]

Awesome, will rewrite the plugin and the example to work with KMS

[mthenw]

Awesome

[mikelax]

hey guys, I have just spent a good amount of time researching "best practice" handling of secret (ie. database passwords, etc) values in the serverless.yml file. After a lot of reading old tickets, (old) plugins, etc. I think that this plugin combined with the now built-in KMS at-rest encryption of Lambda Environment values is the way to go.

Is there any plan to get this plugin updated to use KMS instead of a password?

As an aside, I think that the general serverless documentation could stand to be updated to better reference Lambda environment variables and the meaning of "at-rest" encryption vs. encrypted values in code (ie. double encryption that will be happening). I would be willing to help update the docs in this regard.

[ashimaathri]

Hello, just wanted to know if this feature was being actively developed. Thanks!

[nikgraf]

Hey @mikelax @ashimaathri, I just merged a couple PRs and I'm about to make a release pretty soon. Unfortunately I don't have the bandwidth to integrate KMS into this plugin. You might have a closer look at this plugin if you are interested in KMS support https://github.com/SC5/serverless-kms-secrets