I’m using the 1.0.0-beta.2 version of Serverless to write a single Lambda function that uses the Twitter API. To use Twitter’s API, I need to give my Lambda function some sensitive secrets. I’m wondering what the best way to give these secrets to my function is at the moment, since the beta doesn’t seem to support this out of the box.
At the moment, I’m simply using a Gulp task to run the deploy function, which compiles my Javascript and creates a secrets.json file which is require()d into my function. But this still leads to my secrets being part of the source code.
I’m using https://github.com/silvermine/serverless-plugin-write-env-vars to shim environment variables in to my functions, and it’s working well. I’m hoping that Serverless will have support for environment variables natively in the future, and make this unnecessary.
If your secrets really need to be secure (i.e. not on disk anywhere) then you’ll have to roll AWS KMS in to your application.
I am looking to do the same and I am looking to use serverless-crypt to encrypt my variables and then add them as environment variables to the function.