We begin our w eather API example with a service definition in the serverless.yml file. To set the stage, let’s take a look at the overall structure of the project, and then we’ll dive into the implementation for each provider. Of course, you would rarely need to do anything like this in a real-life project, but this is a convenient way to illustrate the differences between the secrets management approaches. It’s a simple Serverless API that gets a weather forecast for a given location from three different weather service providers: We used Dark Sky, OpenWeatherMap, and the HERE Destination Weather API.įor each provider we’ve chosen a different way to store API secrets. To illustrate each approach to secrets management in Serverless applications, we’re using this sample weather forecast API on GitHub. Three ways to manage secrets for Serverless Framework applications Using code, we show you in detail what each approach looks like, allowing you to choose your favourite way to manage Serverless secrets. In this article we explore three approaches to secrets management for Serverless applications: using environment variables, using the AWS SSM parameter store, and using the Serverless Framework’s secrets management features, and we discuss the benefits and drawbacks of each option.
We want to help you make an informed choice about how to store and access your secrets with the Serverless Framework. If you’re running Serverless applications, most likely you are already using secrets to store data like database connection strings and API tokens for third party services, or you will start needing to use them soon. Typical ways to configure secrets include hard-coding them in your application (not recommended!), using dedicated secrets files, storing them in environment variables, and using secrets stores like HashiCorp’s Vault. By “secrets management” we mean the entire secrets lifecycle: from configuring, storing and accessing them to rotating them and enforcing secrets policies. Storing application secrets in serverless applications is a hot topic that provokes many (often contradictory) opinions on how to manage them right. That’s not what parameter stores are for!
Secrets don’t belong in environment variables! Question: What’s the right way to manage secrets in serverless applications?
0 kommentar(er)
