AWS Lambda Environment Variables – Encryption & Decryption

In this post, we will cover the concepts of using AWS Lambda variables and discuss why there is a need to have environment variables in lambda functions.

Use case of Environment Variables in AWS Lambda Function

You can use environment variables to customize function behavior in your test environment and production environment. For example, you can create two functions with the same code but different configurations using environment variables to hold different values one for production and another for the test environment.

Creating Lambda Environment Variables 

  1. Go to AWS Dashboard and click on the lambda service and select your function,
  2. Select the tab Configuration on the function,
  3. Click on Environment variables and click on Edit.

AWS Environment Variables

4. Add the Key and value arguments to the environment variable created

Edit Environment Variable in AWS

Encrypting Lambda Environment Variables

Once you create the lambda environment variables then you can also encrypt their values.

  1. To encrypt the lambda environment variables select the Encrypt in transit option and then you can click on the Encrypt button and then choose the AWS KMS key.

Enable Encryption of AWS Environment Variables

2. Click on Save

Decrypting and Reading AWS Lambda Environment Variables.  Java Example.

Here is an example of the code snippet that can be used or added to decrypt or read environment variables.

import java.nio.ByteBuffer;
import java.nio.charset.Charset;
import java.util.HashMap;
import java.util.Map;

import com.amazonaws.services.kms.AWSKMS;
import com.amazonaws.services.kms.AWSKMSClientBuilder;
import com.amazonaws.services.kms.model.DecryptRequest;
import com.amazonaws.services.lambda.runtime.Context;
import com.amazonaws.util.Base64;

public class Hello {

    // This variable will hold your decrypted key. Decryption happens on first
    // invocation when the container is initialized and never again for
    // subsequent invocations.
    private static String DECRYPTED_KEY = decryptKey();

    public String myHandler(int someInput, Context context) {
        // Implement your business logic here
        // Use DECRYPTED_KEY to refer to the plaintext key
        return DECRYPTED_KEY;
    }

    private static String decryptKey() {
        System.out.println("Decrypting key");
        byte[] encryptedKey = Base64.decode(System.getenv("prerna"));
        Map<String, String> encryptionContext = new HashMap<>();
        encryptionContext.put("LambdaFunctionName",
                System.getenv("AWS_LAMBDA_FUNCTION_NAME"));

        AWSKMS client = AWSKMSClientBuilder.defaultClient();

        DecryptRequest request = new DecryptRequest()
                .withCiphertextBlob(ByteBuffer.wrap(encryptedKey))
                .withEncryptionContext(encryptionContext);

        ByteBuffer plainTextKey = client.decrypt(request).getPlaintext();
        return new String(plainTextKey.array(), Charset.forName("UTF-8"));
    }

    public static void main(String args[]) {
        Hello h = new Hello();
        System.out.println(h.myHandler(1, null));
    }
}

I hope this tutorial was helpful to you. If you are interested to learn more about AWS Lambda, please have a look at the list of video courses below. One of them might be what you are looking for.

Happy learning!


Leave a Reply

Your email address will not be published. Required fields are marked *