在本地调用sam模板时解析secretsmanager

Question

我正在尝试使用sam本地调用在本地调用一个lambda。该函数可以正常调用，但我的秘密环境变量不能解析。当您部署函数时，秘密将按预期进行解析。但是我想避免我的本地代码和我部署的代码有任何不同。那么，有没有一种方法可以将这些秘密解析为本地调用时的实际秘密值？目前，我只从环境变量中获取字符串值。下面的代码。

template.yaml

    # This is the SAM template that represents the architecture of your serverless application
# https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/serverless-sam-template-basics.html

# The AWSTemplateFormatVersion identifies the capabilities of the template
# https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/format-version-structure.html
AWSTemplateFormatVersion: 2010-09-09
Description: >-
  onConnect

# Transform section specifies one or more macros that AWS CloudFormation uses to process your template
# https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/transform-section-structure.html
Transform:
- AWS::Serverless-2016-10-31

# Resources declares the AWS resources that you want to include in the stack
# https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/resources-section-structure.html
Resources:
  # Each Lambda function is defined by properties:
  # https://github.com/awslabs/serverless-application-model/blob/master/versions/2016-10-31.md#awsserverlessfunction

  # This is a Lambda function config associated with the source code: hello-from-lambda.js
  helloFromLambdaFunction:
    Type: AWS::Serverless::Function
    Properties:
      Handler: src/handlers/onConnect.onConnect
      Runtime: nodejs14.x
      MemorySize: 128
      Timeout: 100
      Environment:
        Variables:
          WSS_ENDPOINT: '{{resolve:secretsmanager:prod/wss/api:SecretString:endpoint}}'

onConnect.js

/**
 * A Lambda function that returns a static string
 */
exports.onConnect = async () => {
    const endpoint = process.env.WSS_ENDPOINT;
    console.log(endpoint);
    // If you change this message, you will need to change hello-from-lambda.test.js
    const message = 'Hellddfdsfo from Lambda!';

    // All log statements are written to CloudWatch
    console.info(`${message}`);
    
    return message;
}

Answer 1

我想出了一个变通办法，允许我拥有一个代码库，并在本地“解析”秘密/参数。

我创建了一个非常基本的lambda层，如果环境设置为LOCAL，它唯一的工作就是获取秘密。导入boto3

def get_secret(env, type, secret):
    client = boto3.client('ssm')
    if env == 'LOCAL':
        if type == 'parameter':
            return client.get_parameter(
                Name=secret,
            )['Parameter']['Value']
    else:
        return secret

我使用lambda中的一个参数设置了环境，该参数将调用该层。顺便说一句，这一层最终将解析多个秘密，所以这就是嵌套的if看起来有点奇怪的原因。下面是我设置环境的方法：

Resources:
  ...
  GetWSSToken:
    Type: AWS::Serverless::Function
    Properties:
      FunctionName: get_wss_token
      CodeUri: get_wss_token/
      Handler: app.lambda_handler
      Runtime: python3.7
      Timeout: 30
      Layers:
        - arn:aws:lambda:********:layer:SecretResolver:8
      Environment:
        Variables:
          ENVIRONMENT: !Ref Env
          JWT_SECRET: !FindInMap [ Map, !Ref Env, jwtsecret ]
     ...

Mappings:
  Map:
    LOCAL:
      jwtsecret: jwt_secret
    PROD:
      jwtsecret: '{{resolve:ssm:jwt_secret}}'
    STAGING:
      jwtsecret: '{{resolve:ssm:jwt_secret}}'

Parameters:
  ...
  Env:
    Type: String
    Description: Environment this lambda is being run in.
    Default: LOCAL
    AllowedValues:
      - LOCAL
      - PROD
      - STAGING

现在，我可以简单地调用lambda中的get_secret方法，根据我为其设置的值，密钥要么在运行时获取，要么从环境变量返回。

import json
import jwt
import os
from datetime import datetime, timedelta
from secret_resolver import get_secret

def lambda_handler(event, context):
    secret = get_secret(os.environ['ENVIRONMENT'], 'parameter', os.environ['JWT_SECRET'])
    two_hours_from_now = datetime.now() + timedelta(hours=2)
    encoded_jwt = jwt.encode({"expire": two_hours_from_now.timestamp()}, secret, algorithm="HS256")
    return {
        "statusCode": 200,
        "body": json.dumps({
            "token": encoded_jwt
        }),
    }

我希望这能帮助正在尝试解决这个问题的人。这里的主要问题是将秘密保留在代码库之外，并能够使用投入生产的相同代码进行本地测试。