Please note: We take Vault's security and our users' trust very seriously. If you believe you have found a security issue in Vault or vault-lambda-extension, please responsibly disclose by contacting us at [email protected].
This repository contains the source code for HashiCorp's Vault AWS Lambda extension. The extension utilizes the AWS Lambda Extensions API to help your Lambda function read secrets from your Vault deployment.
To use the extension, include one of the following ARNs as a layer in your Lambda function, depending on your desired architecture.
amd64 (x86_64):
arn:aws:lambda:<your-region>:634166935893:layer:vault-lambda-extension:13
arm64:
arn:aws:lambda:<your-region>:634166935893:layer:vault-lambda-extension-arm64:1
Where region may be any of af-south-1
, ap-east-1
, ap-northeast-1
,
ap-northeast-2
, ap-northeast-3
, ap-south-1
, ap-southeast-1
,
ap-southeast-2
, ca-central-1
, eu-central-1
, eu-north-1
, eu-south-1
,
eu-west-1
, eu-west-2
, eu-west-3
, me-south-1
, sa-east-1
, us-east-1
,
us-east-2
, us-west-1
, us-west-2
.
The extension authenticates with Vault using AWS IAM auth, and all configuration is supplied via environment variables. There are two methods to read secrets, which can both be used side-by-side:
- Recommended: Make unauthenticated requests to the extension's local proxy
server at
http://127.0.0.1:8200
, which will add an authentication header and proxy to the configuredVAULT_ADDR
. Responses from Vault are returned without modification. - Configure environment variables such as
VAULT_SECRET_PATH
for the extension to read a secret and write it to disk.
The learn guide is the most complete and fully explained tutorial on getting started from scratch. Alternatively, you can follow the similar quick start guide below or see the instructions for adding the extension to your existing function. General usage documentation is also available.
The quick-start directory has an end to end example, for which you will need an AWS account and some command line tools. Follow the readme in that directory if you'd like to try out the extension from scratch. Please note it will create real infrastructure with an associated cost as per AWS' pricing.