Terraform: Lamdba: KMS-encrypted env variables not working
Terraform Version
0.8.4
Affected Resource(s)
Please list the resources as a list, for example:
- aws_lambda_function
Expected Behavior
Using kms_key_arn should have ticked this box:
Actual Behavior
The box is unticked, not allowing me to specify encrypted environment variables
Steps to Reproduce
Please list the steps required to reproduce the issue, for example:
- Use the example from https://www.terraform.io/docs/providers/aws/r/lambda_function.html and provide a
kms_key_arn - log into the AWS console and see that the tick is not checked
joscha
All 4 comments
Hey @joscha –
I did some research and I think I know what’s happening here. I believe both Terraform’s documentation, as well as AWS’s Lambda Console, are a bit misleading here.
Lambda source and environment variables are encrypted _at rest_ when stored in Amazon. By default, Amazon will use a default KMS key for your account. In the aws_lambda_function resource, you can specify the kms_key_arn to specify a different KMS key to use for encrypting these things _at rest_.
See “Environment Variable Encryption” here:
The source and environment variables are encrypted and decrypted on-the-fly for you in this manner.
On the same documentation page, you’ll find "Storing Sensitive Information” where they detail what I _think_ you’re expecting, in that specifying kms_key_arn would actually encrypt the environment variables and so you’d see them in the Lambda console as CipherText. After reading on the documentation, it seems this is not the case sadly. As mentioned in "Storing Sensitive Information”:
if you need to store sensitive information in an environment variable, we strongly suggest you encrypt that information before deploying your Lambda function.
It seems that the kms_key_arn we provide in Terraform configuration is _only_ for encrypting at rest. If you need those ENV vars encrypted in the environment, you need to do that yourself it seems.
The Lambda console makes things more confusing here, I believe. Clicking the checkbox “Enable encryption helpers” enables the Lamba’s console to encrypt any env var you supply _in those text boxes_, using the key you specify. Once you provide a KMS Arn to a key, you can click “encrypt” and the value will become encrypted. Until you hit “Save” at the top of the page here, you can still decrypt it, however after clicking “save” the page reloads and you see the encrypted text. At that point, you can’t decrypt it. You can however add new text and encrypt the new text, replacing the old, but at that point the Lambda console does not give you a means of decrypting it.
The Lambda console does give you a code generation tool to generate code to decrypt the secure information, for use in your Lambda code.
I checked around and it doesn’t seem like we have an easy route to encrypting environment variables in the Lambda API or SDK.
I hope this clears things up. Please let me know if you have any questions.
catsby
on 18 Apr 2017
Any progress about this issue? is there any way of encrypting environment variables or do I have to do that manually?
shlomi-viz
on 18 Apr 2019
Bump :D
Any updates on this?
rishiloyola
on 15 May 2019
I'm going to lock this issue because it has been closed for _30 days_ ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.
![hashibot[bot] picture](https://avatars2.githubusercontent.com/in/8332?v=4&s=40)
hashibot[bot]
on 25 Jul 2019
Related issues
ronnix
·
3Comments
pawelsawicz
·
3Comments
cpoole
·
3Comments
franklinwise
·
3Comments
larstobi
·
3Comments
Most helpful comment
Hey @joscha –
I did some research and I think I know what’s happening here. I believe both Terraform’s documentation, as well as AWS’s Lambda Console, are a bit misleading here.
Lambda source and environment variables are encrypted _at rest_ when stored in Amazon. By default, Amazon will use a default KMS key for your account. In the
aws_lambda_functionresource, you can specify thekms_key_arnto specify a different KMS key to use for encrypting these things _at rest_.See “Environment Variable Encryption” here:
The source and environment variables are encrypted and decrypted on-the-fly for you in this manner.
On the same documentation page, you’ll find "Storing Sensitive Information” where they detail what I _think_ you’re expecting, in that specifying
kms_key_arnwould actually encrypt the environment variables and so you’d see them in the Lambda console as CipherText. After reading on the documentation, it seems this is not the case sadly. As mentioned in "Storing Sensitive Information”:It seems that the
kms_key_arnwe provide in Terraform configuration is _only_ for encrypting at rest. If you need those ENV vars encrypted in the environment, you need to do that yourself it seems.The Lambda console makes things more confusing here, I believe. Clicking the checkbox “Enable encryption helpers” enables the Lamba’s console to encrypt any env var you supply _in those text boxes_, using the key you specify. Once you provide a KMS Arn to a key, you can click “encrypt” and the value will become encrypted. Until you hit “Save” at the top of the page here, you can still decrypt it, however after clicking “save” the page reloads and you see the encrypted text. At that point, you can’t decrypt it. You can however add new text and encrypt the new text, replacing the old, but at that point the Lambda console does not give you a means of decrypting it.
The Lambda console does give you a code generation tool to generate code to decrypt the secure information, for use in your Lambda code.
I checked around and it doesn’t seem like we have an easy route to encrypting environment variables in the Lambda API or SDK.
I hope this clears things up. Please let me know if you have any questions.