15

I want to use aws lambda update-function-code command to deploy the code of my function. The problem here is that aws CLI always prints out some information after deployment. That information contains sensitive information, such as environment variables and their values. That is not acceptable as I'm going to use public CI services, and I don't want that info to become available to anyone. At the same time I don't want to solve this by directing everything from AWS command to /dev/null for example as in this case I will lose information about errors and exceptions which will make it harder to debug it if something went. What can I do here?

p.s. SAM is not an option, as it will force me to switch to another framework and completely change the workflow I'm using.

mrivanlima
  • 561
  • 4
  • 10
Guru_1010
  • 574
  • 7
  • 22
  • 5
    I'm confused. You say you don't want to show it, but you say you don't want to lose it. Can you just direct it to a log file instead? Or, how about redirecting normal output but showing `stderr` on-screen? See [How to redirect stderr to a file](https://askubuntu.com/a/625230/443786) and [bash - How to pipe stderr, and not stdout? - Stack Overflow](https://stackoverflow.com/questions/2342826/how-to-pipe-stderr-and-not-stdout). – John Rotenstein Jun 15 '19 at 23:45
  • @JohnRotenstein As far as I remember `aws cli lambda` doesn't send errors to stderr, it just returns json with property error to stdout – Guru_1010 Jun 17 '19 at 16:43
  • 1
    Does this answer your question? [Bash print stderr only, not stdout](https://stackoverflow.com/questions/25331205/bash-print-stderr-only-not-stdout) – SomeGuyOnAComputer Jul 24 '20 at 12:27
  • 1
    I've just run into this too. Huge security risk in my eyes. It seems like the S3 commands have `--only-show-errors` but similar does not exist for lambda it seems. I've gone with `> /dev/null` for now. – Derek C. May 26 '21 at 18:43

3 Answers3

2

You could target the output you'd like to suppress by replacing those values with jq

For example if you had output from the cli command like below:

{
  "FunctionName": "my-function",
  "LastModified": "2019-09-26T20:28:40.438+0000",
  "RevisionId": "e52502d4-9320-4688-9cd6-152a6ab7490d",
  "MemorySize": 256,
  "Version": "$LATEST",
  "Role": "arn:aws:iam::123456789012:role/service-role/my-function-role-uy3l9qyq",
  "Timeout": 3,
  "Runtime": "nodejs10.x",
  "TracingConfig": {
      "Mode": "PassThrough"
  },
  "CodeSha256": "5tT2qgzYUHaqwR716pZ2dpkn/0J1FrzJmlKidWoaCgk=",
  "Description": "",
  "VpcConfig": {
      "SubnetIds": [],
      "VpcId": "",
      "SecurityGroupIds": []
  },
  "CodeSize": 304,
  "FunctionArn": "arn:aws:lambda:us-west-2:123456789012:function:my-function",
  "Handler": "index.handler",
  "Environment": {
    "Variables": {
      "SomeSensitiveVar": "value",
      "SomeOtherSensitiveVar": "password"
    }
  }
}

You might pipe that to jq and replace values only if the keys exist:

aws lambda update-function-code <args> | jq '
  if .Environment.Variables.SomeSensitiveVar? then .Environment.Variables.SomeSensitiveVar = "REDACTED" else . end |
  if .Environment.Variables.SomeRandomSensitiveVar? then .Environment.Variables.SomeOtherSensitiveVar = "REDACTED" else . end'

You know which data is sensitive and will need to set this up appropriately. You can see the example of what data is returned in the cli docs and the API docs are also helpful for understanding what the structure can look like.

Brandon Miller
  • 4,695
  • 1
  • 20
  • 27
0

Lambda environment variables show themselves everywhere and cannot considered private. If your environment variables are sensitive, you could consider using aws secret manager.

In a nutshell:

  • create a secret in the secret store. It has a name (public) and a value (secret, encrypted, with proper user access control)
  • Allow your lambda to access the secret store
  • In your lambda env, store the name of your secret, and tell your lambda to get the corresponding value at runtime
  • bonus: password rotation is made super easy, as you don't even have to update your lambda config anymore
aherve
  • 3,795
  • 6
  • 28
  • 41
0

Here is a solution that doesn't require installing any tools and works on mac and linux that will only print output if there was an error:

create a file named: update_lambda_function.sh:

#!/bin/bash

# Run the command and capture the output
output=$(aws lambda update-function-code --function-name=YOUR_FUNCTION --zip-file=fileb://function.zip 2>&1)

# Check if the command was successful
if [ $? -ne 0 ]; then
    # The command failed, print the output
    echo "Error: $output"
fi

Before you can run the script, you'll need to make it executable. You can do this with the chmod command in your terminal:

chmod +x update_lambda_function.sh

After that, you can run your script like this:

./update_lambda_function.sh
Anatol
  • 3,720
  • 2
  • 20
  • 40