0

I'm writing a lambda function in Python 3.8. The function connects with a dynamodb using boto3:

db = boto3.resource('dynamodb', region_name='foo', aws_access_key_id='foo', aws_secret_access_key='foo')

That is what I have while I am developing on my local machine and need to test the function. But, when I deploy this to lambda, I can just remove the credentials and my function will connect to the dynamodb if I have the proper IAM roles and policies setup in place. For example, this code would work fine when deployed to lambda:

db = boto3.resource('dynamodb', region_name='foo')

The question is, how can I manage this in terms of pushing code to lambda? I am using AWS SAM to deploy to AWS. Right now what I do is once I'm done developing my function, I remove the aws_access_key_id='foo' and aws_secret_access_key='foo' parts manually and then deploy the functions using SAM.

There must be a better way to do this? Could I embed these into my IDE instead? I'm using PyCharm. Would that be a better way? If not, what else?

hkjhadj1
  • 848
  • 3
  • 13
  • 32

3 Answers3

2

You should never put credentials in the code like that.

When running the code locally, use the AWS CLI aws configure command to store local credentials in a ~/.aws/config file. The AWS SDKs will automatically look in that file to obtain credentials.

John Rotenstein
  • 241,921
  • 22
  • 380
  • 470
1

In sam you can invoke your function locally using sam local invoke or sam local start-lambda.

Both of them take --profile parameter:

The AWS credentials profile to use.

This will ensure that your local lambda environment executes with correct credentials without needing to hard code them in your code. Subsequently, you can test your code without modifications which would otherwise be needed when hard coding the key id and secret key.

Marcin
  • 215,873
  • 14
  • 235
  • 294
0

You can use environment variables.

Environment variables can be configured both in pycharm, as well as in AWS Lambda and AWS SAM.

As stated in the Lambda best practices: "Use environment variables to pass operational parameters to your function. For example, if you are writing to an Amazon S3 bucket, instead of hard-coding the bucket name you are writing to, configure the bucket name as an environment variable."

You can also use an environment variable to specify which environment is being used, which can then be used to explicitly determine whether credentials are necessary.

RamiMac
  • 211
  • 2
  • 16