Hanzo
PlatformHanzo KMSIntegrationsPlatformsAWS

AWS Lambda

How to use Hanzo KMS secrets in AWS Lambda

Learn how to sync Hanzo KMS secrets to AWS Lambda regardless of how you deploy your function. This guide covers the following strategies:

  • Hanzo KMS SDKs
  • AWS Secrets Manager integration
  • AWS Systems Manager Parameter Store integration
  • AWS CLI

Choose your sync strategy

Fetch secrets at runtime with Hanzo KMS SDKs

If you control the Lambda code, the simplest method is to fetch secrets directly from Hanzo KMS using one of our SDKs.
You can read more about the Hanzo KMS SDKs here.

Push via secret sync

Configure a secret sync from your Hanzo KMS project, and Hanzo KMS will keep your Secrets Manager or Parameter Store values up to date. Your Lambda function can then reference those secrets directly.
Learn more about the AWS Secrets Manager integration and the AWS Parameter Store integration.

Push environment variables directly using the AWS CLI

For straightforward workflows or quick rotations, you can push Hanzo KMS secrets directly into Lambda environment variables using the AWS CLI.

Prerequisites

  • AWS CLI v2 installed and authenticated
  • jq installed locally
  • An IAM principal with lambda:UpdateFunctionConfiguration
  • KMS CLI (kms) configured

IAM permissions

Attach a policy like the one below to the IAM user or role responsible for updating Lambda configuration:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "LambdaConfig",
      "Effect": "Allow",
      "Action": ["lambda:UpdateFunctionConfiguration"],
      "Resource": "*"
    }
  ]
}

Replacing Lambda environment variables using the AWS CLI overwrites the entire Variables object. Make sure to export your current values so you can import them into Hanzo KMS.

Push secrets to Lambda

Use the KMS CLI to export secrets as JSON and pass them to the AWS CLI. The example below targets a project by ID, but you can also use the --project and --env flags. Learn more about kms export here.

FUNCTION_NAME=kms-env-test
REGION=us-east-1
PROJECT_ID=1234567890

aws lambda update-function-configuration \
  --function-name "$FUNCTION_NAME" \
  --region "$REGION" \
  --environment "$(
    kms export \
      --format=json \
      --projectId="$PROJECT_ID" \
    | jq 'map({(.key): .value}) | add | {Variables: .}'
  )"

On success, the updated Environment.Variables block will be returned. Verify the values in the Lambda console or by invoking the function.

Automate this step in CI/CD. Run kms export using an KMS Token scoped to your project and environment, and trigger the sync as part of your deployment workflow. Learn more about the Hanzo KMS Token.

We recommend using automatic secret syncs to AWS Secrets Manager or AWS Parameter Store to keep your secrets continuously in sync and avoid manually updating the Lambda configuration.

How is this guide?

Last updated on

Using the Hanzo KMSPushSecret CRD

Learn how to use the Hanzo KMSPushSecret CRD to push and manage secrets in Hanzo KMS.

Amazon ECS

Learn how to deliver secrets to Amazon Elastic Container Service.

On this page

Choose your sync strategy
Fetch secrets at runtime with Hanzo KMS SDKs
Push via secret sync
Push environment variables directly using the AWS CLI
Prerequisites
IAM permissions
Push secrets to Lambda