Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Adding secret vars in config.json from exernal file

See original GitHub issue

I suggest to be able to add secret information via external file (as in terraform).

For example, something like that in config.json :

"environment_variables": {"authorization_token": var.secret_token }

And for the command line :

$chalice deploy --var-file=secret.json

Issue Analytics

State:
Created 4 years ago
Reactions:11
Comments:13 (5 by maintainers)

Top GitHub Comments

5reactions

vfilimonovcommented, Mar 20, 2020

I would argue that storing credentials in config (even external, git-ignored) is not a good idea in general. Especially since you could use AWS ecosystem for that.

If not using AWS Secrets Manager, that could be expensive if you have a lot of secrets, you could easily place them in AWS SSM Parameter Store (and encrypt with default or dedicated key). And in the python code retrieving them is no more complicated than doing os.environ['my_secret']. Namely:

boto3.client('ssm').get_parameter(Name=`my_secret`, WithDecryption=True)['Parameter']

And you need to specify permissions in config-prod.json:

        {
            "Effect": "Allow",
            "Action": ["ssm:GetParameter"],
            "Resource": [
              "arn:aws:ssm:<region>:<account>:parameter/my_secret"
            ]
        }

Other benefits of this approach are:

easy rotation of secrets
granular permissions to secrets/group of secrets

2reactions

devangmehta123commented, Sep 23, 2020

@jamesls , the last comment on this is from Mar 25. I generally agree with @vfilimonov 's comments on this, that using AWS tools is a better way to do this.

But if someone wants to keep their Lambda setup simple, like I do, then there is still value in allowing config.json to be able to dynamically set up environment variables to configure inside the Lambda at deploy time.

That would let some configurations flow from GitHub actions or GitLab instead of relying on an extra layer of configuration inside SSM.

It is helpful to those who run the entire test setup on Docker containers inside the CI/CD sever, outside of the AWS ecosystem, for example.

For example, all I would like here for ‘chalice deploy’ to copy some behaviour of docker-compose. In docker-compose, if you leave the value of an environment variable empty, it will try to get the value from the shell. And so config.json could just look like this.

Note that the injected key is just a list and you could default the value to empty if nothing is obtained from the shell.

"environment_variables": {
    "USED_IN_ALL_ENVS": "this_value_needed_everywhere"
}
"environment_variables_injected": [
    "INJECTED_VARIABLE_FROM_SHELL_INVOKING_CHALICE_DEPLOY"
]

I think that even a simple enhancement like that would certain workflows which want to keep it simple.