Use AWS Lambda Extensions to Securely Retrieve Secrets From HashiCorp Vault

We are excited to announce the public preview of a HashiCorp Vault AWS Lambda extension, utilizing the newly announced AWS Lambda Extensions API (also in public preview) to securely retrieve secrets from HashiCorp Vault. 

Practitioners that have standardized on HashiCorp Vault for secrets management and AWS Lambda as their serverless compute environment no longer have to make their Lambda functions Vault aware. The extension will retrieve the specified secret from a Vault cluster and present it to the Lambda function.  

"Hundreds of thousands of customers use AWS Lambda to run their applications - all they need to do is supply the code," says Dhruv Sood, Sr. Product Manager, AWS Lambda, Amazon Web Services, Inc. "The HashiCorp Vault extension for AWS Lambda makes it easy for operators to manage their secrets and make them available for developers to use within their application code."

What is AWS Lambda?

AWS Lambda functions often connect to many services to transform and move data between them. Many of these services require you to authenticate your application with credentials or API keys. And so, the most asked question is how does one securely store and retrieve these credentials? As Lambda adoption grows, so does the need for a consistent method to provide credentials needed for Lambda functions to do their tasks!

What is the Lambda Extensions API?

To help customers monitor, observe, secure, and govern their functions, Lambda provides native integrations for logs and metrics through Amazon CloudWatch, tracing through AWS X-Ray, tracking configuration changes through AWS Config, and recording API calls through AWS CloudTrail. 

The Extensions API provides a simple way to extend AWS Lambda’s execution environment. In addition to running in parallel with the execution, extensions can run logic outside of the invoke – they can start before the function is invoked and can also run after the function execution is complete. Also, because extensions run as processes next to the Lambda function, they can be written in a language different than that of the function. 

How Does it Work?

The extension reads secrets from HashiCorp Vault and writes them to disk before the Lambda function starts. It authenticates via the AWS IAM auth method, using the same identity the Lambda function is running as. The extension can retrieve multiple secrets from Vault, if configured to do so, and writes the full JSON response from HashiCorp Vault to the configured destination.

Before a Lambda function is invoked, extensions are initialized and given the opportunity to perform tasks before signaling their readiness. The Vault extension uses user-defined environment variables and the Lambda execution role to authenticate with a Vault cluster and retrieve secrets before the Lambda function executes. Environment variables configure connection details like Vault address and TLS certificates, as well as behavior details such as the Vault secret path to read and the file location to write to.

Getting Started

To get started with the Vault Lambda extension please head on over to the GitHub repo. This repository contains the source code, the ARN you’ll use in your Lambda function, and an end-to-end example with instructions.