Please note: We take Vault's security and our users' trust very seriously. If you believe you have found a security issue in Vault or vault-lambda-extension, please responsibly disclose by contacting us at security@hashicorp.com.
This repository contains the source code for HashiCorp's Vault AWS Lambda extension. The extension utilizes the AWS Lambda Extensions API to help your Lambda function read secrets from your Vault deployment.
To use the extension, include one of the following ARNs as a layer in your Lambda function, depending on your desired architecture.
amd64 (x86_64):
arn:aws:lambda:<your-region>:634166935893:layer:vault-lambda-extension:20
arm64:
arn:aws:lambda:<your-region>:634166935893:layer:vault-lambda-extension-arm64:8
Where region may be any of
af-south-1ap-east-1ap-northeast-1ap-northeast-2ap-northeast-3ap-south-1ap-south-2ap-southeast-1ap-southeast-2ca-central-1eu-central-1eu-north-1eu-south-1eu-west-1eu-west-2eu-west-3me-south-1sa-east-1us-east-1us-east-2us-west-1us-west-2
Alternatively, you can download binaries for packaging into a container image here. See the full documentation page for more details.
The extension authenticates with Vault using AWS IAM auth, and all configuration is supplied via environment variables. There are two methods to read secrets, which can both be used side-by-side:
- Recommended: Make unauthenticated requests to the extension's local proxy
server at
http://127.0.0.1:8200, which will add an authentication header and proxy to the configuredVAULT_ADDR. Responses from Vault are returned without modification. - Configure environment variables such as
VAULT_SECRET_PATHfor the extension to read a secret and write it to disk.
The learn guide is the most complete and fully explained tutorial on getting started from scratch. Alternatively, you can follow the similar quick start guide below or see the instructions for adding the extension to your existing function. General usage documentation is also available.
The quick-start directory has an end to end example, for which you will need an AWS account and some command line tools. Follow the readme in that directory if you'd like to try out the extension from scratch. Please note it will create real infrastructure with an associated cost as per AWS' pricing.
If you want to test changes to the lambda extension, you can build and deploy the local version for testing with the Quick Start:
make zip
make quick-start TERRAFORM_ARGS="-var local_extension=true"There is also a terraform variable for using an additional IAM role for the Lambda to assume:
make zip
make quick-start TERRAFORM_ARGS="-var local_extension=true -var assume_role=true"