Zappa icon indicating copy to clipboard operation
Zappa copied to clipboard

Published 20 hours ago verified publisher icon zappa

Add direct support for Amazon secrets manager

Open simsong opened this issue 1 year ago • 5 comments

Feature Request: Add direct support for Amazon secrets manager

Expected Behavior

It would be useful to be able to document the ARN of desired Amazon Secrets that the Lambda function should have access to. Many lambda functions need secrets, and this should be controls through the zappa configuration.

Actual Behavior

Right now we need to add each secret manually.

Possible Fix

  1. Put the secret's ARN in the json file.
  2. Have Zappa automatically update the appropriate policy. There are several ways to do this, it turns out. The easiest I have found is to add it to the role that Zappa creates.

simsong avatar Feb 15 '24 02:02 simsong

Up! I would love to map secrets to env vars instead of exposing them in settings.json

van4oza avatar Mar 05 '24 02:03 van4oza

Something like that would be great

{{resolve:secretsmanager:${secretName}:SecretString:password}

https://github.com/awsdocs/aws-lambda-developer-guide/blob/07fa19fba08e75d549fbfa7131bc57e3f41df018/sample-apps/rds-mysql/template.yml#L44

ivan-trustek avatar Mar 05 '24 02:03 ivan-trustek

Right now this is how I'm adding AWS secrets to my zappa_config.json file:

        "environment_variables": {
            "AWS": "YES",
            "DBREADER":"arn:aws:secretsmanager:us-east-1:376778041234:secret:dbreader_prod-734s,
            "DBWRITER":"arn:aws:secretsmanager:us-east-1:376778041234:secret:dbwriter_prod-akana",
        }

I would like to see Zappa do something along these lines:

        "aws_secrets": 
            ["arn:aws:secretsmanager:us-east-1:376778041234:secret:dbreader_prod-734s",
             "arn:aws:secretsmanager:us-east-1:376778041234:secret:dbwriter_prod-akana"],

Zappa would then automatically make sure that the IAM Role that it creates has access to the two ARNs.

simsong avatar Mar 05 '24 13:03 simsong

@simsong but this way you are just passing ARN to the env, these secrets aren't resolving to actual values?

I'm lookin for the option to pull resolved secrets.

ivan-trustek avatar Mar 07 '24 20:03 ivan-trustek

Once you have the ARN you can pull the secret pretty easily. Here is the code I use:

        SECRETSMANAGER = 'secretsmanager'
        secret_name = os.path.expandvars(section[AWS_SECRET_NAME])
        region_name = os.path.expandvars(section[AWS_REGION_NAME])
        session = boto3.session.Session()
        client = session.client( service_name=SECRETSMANAGER,
                                 region_name=region_name)
        try:
            get_secret_value_response = client.get_secret_value( SecretId=secret_name )
        except ClientError as e:
            raise SecretsManagerError(e)
        secret = json.loads(get_secret_value_response['SecretString'])

The ARN is your key to unlocking the secrets! But role under which the Lambda is running needs access to either the specific ARN, or else all ARNs within the secrets manager. This is a pain to set up, and it changes frequently, so tit would be nice for Zappa to automate the creation of the AWS authorizations. I was not suggesting that Zappa get the secret out of the Secrets Manager and put the secret in into the environment.

simsong avatar Mar 07 '24 20:03 simsong

Hi there! Unfortunately, this Issue has not seen any activity for at least 90 days. If the Issue is still relevant to the latest version of Zappa, please comment within the next 10 days if you wish to keep it open. Otherwise, it will be automatically closed.

github-actions[bot] avatar Jun 05 '24 21:06 github-actions[bot]

Hi there! Unfortunately, this Issue was automatically closed as it had not seen any activity in at least 100 days. If the Issue is still relevant to the latest version of Zappa, please open a new Issue.

github-actions[bot] avatar Jun 15 '24 21:06 github-actions[bot]

I'm now maintaining my own copy of Zappa that has my additions in it. This is frustrating, but I don't know what to do. My changes are not significant, but they are useful, and the issues are automatically closed. I would like to contribute to this project, but I'm not sure how to do that.

simsong avatar Jun 23 '24 00:06 simsong

@simsong but this way you are just passing ARN to the env, these secrets aren't resolving to actual values?

I'm lookin for the option to pull resolved secrets.

@ivan-trustek — it seems that nobody wanted my patch to add secrets support.

simsong avatar Jun 23 '24 00:06 simsong

@simsong Secret's support sounds great, perhaps with some kind of caching mechanism to reduce calls made to secrets manager i.e https://docs.aws.amazon.com/secretsmanager/latest/userguide/retrieving-secrets_lambda.html

There seems to be a list of layer ARNs here: https://docs.aws.amazon.com/systems-manager/latest/userguide/ps-integration-lambda-extensions.html#ps-integration-lambda-extensions-add

AlexanderCollins avatar Aug 12 '24 12:08 AlexanderCollins

I would also like to request the ability to include the parameter layer. In fact, i'd love to see that part of the default setup, and then you could configure initial, definitely required secrets (like your db password) before you deploy.

sean-abbott avatar Aug 13 '24 17:08 sean-abbott