Don't put secrets in your ENV
Secrets as environment variables is a bad idea
Published: Friday, Mar 25, 2022 Last modified: Monday, Dec 9, 2024
If you see something like:
MainFunction:
Type: AWS::Serverless::Function
Properties:
Environment:
Variables:
SECRET_KEY: "{{resolve:ssm:/my/secretkey:1}}"
or perhaps in a serverless.yml
:
MyFunction:
environment:
PRIVATE_KEY: ${ssm:/my/private_key}
A secret stored as an Environment variable can easily leak!
Leaked how?
Accidental disclosure
If your app gets compromised, it’s trivial to printenv
and steal secrets.
Your debug or logging code will likely leak the environment!
Do not store secrets in your process.env
!
Operationally
More likely your secret will leak to your operations team via the AWS console.
Workaround
Retreive secrets in the App
Best practice is for applications to retrieve secrets, for example in a Lambda context you would use middy-ssm to retrieve the secrets from the AWS Parameter Store.
That application alone will have the role to retrieve the secret with the
appropriate ssm:GetParameter
permission.
Of course you need to be careful not to log those secret variables.