ContextQMD
Back to Infisical

AWS Lambda

docs/integrations/platforms/aws/lambda.mdx

0.159.253.1 KB
Original Source

Learn how to sync Infisical secrets to AWS Lambda regardless of how you deploy your function. This guide covers the following strategies:

  • Infisical SDKs
  • AWS Secrets Manager integration
  • AWS Systems Manager Parameter Store integration
  • AWS CLI

Choose your sync strategy

1. Fetch secrets at runtime with Infisical SDKs

If you control the Lambda code, the simplest method is to fetch secrets directly from Infisical using one of our SDKs.
You can read more about the Infisical SDKs here.

2. Push via secret sync

Configure a secret sync from your Infisical project, and Infisical will keep your Secrets Manager or Parameter Store values up to date. Your Lambda function can then reference those secrets directly.
Learn more about the AWS Secrets Manager integration and the AWS Parameter Store integration.

3. Push environment variables directly using the AWS CLI

For straightforward workflows or quick rotations, you can push Infisical secrets directly into Lambda environment variables using the AWS CLI.

Prerequisites

  • AWS CLI v2 installed and authenticated
  • jq installed locally
  • An IAM principal with lambda:UpdateFunctionConfiguration
  • Infisical CLI (infisical) configured

IAM permissions

Attach a policy like the one below to the IAM user or role responsible for updating Lambda configuration:

json
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "LambdaConfig",
      "Effect": "Allow",
      "Action": ["lambda:UpdateFunctionConfiguration"],
      "Resource": "*"
    }
  ]
}
<Note> {" "} Replacing Lambda environment variables using the AWS CLI overwrites the entire `Variables` object. Make sure to export your current values so you can import them into Infisical.{" "} </Note>

Push secrets to Lambda

Use the Infisical CLI to export secrets as JSON and pass them to the AWS CLI. The example below targets a project by ID, but you can also use the --project and --env flags. Learn more about infisical export here.

bash
FUNCTION_NAME=infisical-env-test
REGION=us-east-1
PROJECT_ID=1234567890

aws lambda update-function-configuration \
  --function-name "$FUNCTION_NAME" \
  --region "$REGION" \
  --environment "$(
    infisical export \
      --format=json \
      --projectId="$PROJECT_ID" \
    | jq 'map({(.key): .value}) | add | {Variables: .}'
  )"

On success, the updated Environment.Variables block will be returned. Verify the values in the Lambda console or by invoking the function.

<Tip> Automate this step in CI/CD. Run `infisical export` using an Infisical Token scoped to your project and environment, and trigger the sync as part of your deployment workflow. Learn more about the [Infisical Token](/cli/commands/export#infisical-export:infisical-token). </Tip> <Note> We recommend using automatic secret syncs to AWS Secrets Manager or AWS Parameter Store to keep your secrets continuously in sync and avoid manually updating the Lambda configuration. </Note>