如何在AWS Lambda中使用加密的环境变量? [英] How to use encrypted environment variables in AWS Lambda?
问题描述
我正在尝试在Node.js 4.3中运行的AWS Lambda函数中使用加密的环境变量,但是在尝试解密变量时代码会挂起.我没有收到任何错误消息,只是超时.这是我尝试过的:
I am trying to use encrypted environment variables in an AWS Lambda function running in Node.js 4.3, but the code hangs when trying to decrypt the variables. I don't get any error messages, it just times out. Here is what I have tried:
我在与Lambda相同的区域中创建了加密密钥,并确保Lambda所扮演的角色可以访问该密钥. (我什至尝试让角色完全控制密钥.)
I created the encryption key in the same region as the Lambda, and ensured that the role the Lambda runs as has access to the key. (I've even tried giving the role full control of the key.)
创建Lambda时,我启用了加密助手,选择了我的加密密钥,并加密了环境变量:
When creating the Lambda, I enable encryption helpers, select my encryption key, and encrypt the environment variable:
接下来,我单击代码"按钮,该按钮为我提供了应在运行时处理解密的javascript代码.这是代码-我所做的唯一更改是添加console.log语句,并添加了try/catch:
Next I click the "Code" button which gives me javascript code that's supposed to handle the decryption at runtime. Here is the code--the only change I have made is to add console.log statements and I added a try/catch:
"use strict";
const AWS = require('aws-sdk');
const encrypted = process.env['DBPASS'];
let decrypted;
function processEvent(event, context, callback) {
console.log("Decrypted: " + decrypted);
callback();
}
exports.handler = (event, context, callback) => {
if (decrypted) {
console.log('data is already decrypted');
processEvent(event, context, callback);
} else {
console.log('data is NOT already decrypted: ' + encrypted);
// Decrypt code should run once and variables stored outside of the function
// handler so that these are decrypted once per container
const kms = new AWS.KMS();
console.log('got kms object');
try {
var myblob = new Buffer(encrypted, 'base64');
console.log('got blob');
kms.decrypt({ CiphertextBlob: myblob }, (err, data) => {
console.log('inside decrypt callback');
if (err) {
console.log('Decrypt error:', err);
return callback(err);
}
console.log('try to get plaintext');
decrypted = data.Plaintext.toString('ascii');
console.log('decrypted: ' + decrypted);
processEvent(event, context, callback);
});
}
catch(e) {
console.log("exception: " + e);
callback('error!');
}
}
};
这是我运行该功能时得到的:
Here is what I get when I run the function:
data is NOT already decrypted: AQECAH.....
got kms object
got blob
END RequestId: 9b7af.....
Task timed out after 30.00 seconds
当我运行该函数时,它会超时.我看到它将所有日志语句打印到"got blob",然后才停止.除超时外,没有其他错误消息.我曾尝试增加Lambda的超时和内存,但这只会使其等待更长的时间才能超时.
When I run the function, it times out. I see that it prints all log statements up to "got blob" then it just stops. No error message other than timed out. I've tried increasing timeout and memory for the Lambda but it just makes it wait longer before timing out.
How is decryption supposed to work when I never tell the app what decryption key to use? The documentation for decrypt does not mention any way to tell it what decryption key to use. And I am not getting any error messages that would tell me it doesn't know what key to use or anything.
我已经尝试过本教程但这只是告诉我要做我已经做过的同样的事情.我还阅读了所有环境变量文档,但是说我在做什么应该可以.
I've tried going through this tutorial but it just tells me to do the same thing I've already done. I've also read all of the environment variables documentation but it says that what I'm doing should just work.
推荐答案
解密环境变量需要对KMS服务的API调用.为此,您的Lambda函数必须可以访问Internet,因为KMS没有VPC端点.因此,如果Lambda在VPC中运行,请确保已为VPC配置了NAT,以允许Lambda函数调用KMS.
Decrypting the environment variables requires an API call to the KMS service. To do that, your Lambda function must have access to the internet since there are no VPC endpoints for KMS. So, if your Lambda is running in a VPC, make sure you have a NAT configured for the VPC to allow your Lambda function to call KMS.
这篇关于如何在AWS Lambda中使用加密的环境变量?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
