Storing and passing credentials to AWS Lambda from Bitbucket

Question

The problem description: I have a python code in Bitbucket which is deployed to the AWS to be executed as a lambda function. The setup is based on this guide: https://bitbucket.org/blog/aws-lambda-deployments-using-bitbucket-pipelines-and-pipes

In the python code, I plan to use credentials (e.g. for the database access), and the source code is obviously a wrong place to store them.

What is a recommended storage place and way of passing credentials to the lambda function?

Should it be Bitbucket's repository variables? If yes, then how do I pass them to the lambda function's code?

Or should it be AWS Lambda environment variables? Same question then.

Answer 1

You could store them in AWS SSM Parameter Store and fetch them at runtime.

That way you can manage who has access to it. Putting it in env variables will display the secret in plain text to anyone that can see it.

The way I structure is this:

1. Put the secret in an encrypted SSM Parameter, this uses a KMS key
2. Give your lambda access to the SSM param and the KMS key used through IAM
3. in lambda ENV or a configuration file put the path to the SSM Parameter
4. in lambda during startup fetch the parameter and put it some static variable so that other executions of the same (non-cold started) lambda don't need fetch it again