HashiCorp has recently announced the public preview of the HashiCorp Vault AWS Lambda Extension. The new service is based on the recently launched AWS Lambda Extensions API and allows a serverless application to securely retrieve secrets from HashiCorp Vault without making the Lambda functions Vault-aware.

The extension reads secrets from HashiCorp Vault and writes them to disk before the AWS Lambda function starts. It authenticates using AWS IAM, relying on the same identity the Lambda function is running. As the Runtime API and the Extensions API are independent endpoints, the new approach makes the external security approach transparent to the Lambda function itself.

Source: https://aws.amazon.com/blogs/compute/introducing-aws-lambda-extensions-in-preview

The Vault AWS Lambda Extension can retrieve different secrets from Vault and writes the JSON response from HashiCorp Vault to the configured destination. It is available in the HashiCorp GitHub repo, that includes examples with the Amazon ARN to be referenced in the Lambda function.

“This is going to make a lot of folks’ lives a lot easier” predicts Lucy Davinhart, senior automation engineer at Sky Betting & Gaming. Andrey Devyatkin, DevSecOps consultant, explains the main benefit of the new approach:

This is neat. Before you would have to read secrets via Terraform and pass them via environment variables which didn’t work well with dynamic secrets. I wonder if extension will be able to keep leases renewed.

#serverless #cloud #aws #developer