I am trying to use encrypted environment variables in an AWS Lambda function running in Node.js 4.3, but the code hangs when trying to decrypt the variables. I don't get any error messages, it just times out. Here is what I have tried:
我试图在Node.js 4.3中运行的AWS Lambda函数中使用加密的环境变量,但是在尝试解密变量时代码会挂起。我没有得到任何错误消息,它只是超时。这是我尝试过的:
I created the encryption key in the same region as the Lambda, and ensured that the role the Lambda runs as has access to the key. (I've even tried giving the role full control of the key.)
我在与Lambda相同的区域中创建了加密密钥,并确保Lambda运行的角色可以访问密钥。 (我甚至试过让角色完全控制钥匙。)
When creating the Lambda, I enable encryption helpers, select my encryption key, and encrypt the environment variable:
创建Lambda时,我启用加密助手,选择我的加密密钥,并加密环境变量:
Next I click the "Code" button which gives me javascript code that's supposed to handle the decryption at runtime. Here is the code--the only change I have made is to add console.log
statements and I added a try/catch:
接下来,我单击“代码”按钮,它给出了我应该在运行时处理解密的javascript代码。这是代码 - 我唯一的变化是添加了console.log语句,我添加了一个try / catch:
"use strict";
const AWS = require('aws-sdk');
const encrypted = process.env['DBPASS'];
let decrypted;
function processEvent(event, context, callback) {
console.log("Decrypted: " + decrypted);
callback();
}
exports.handler = (event, context, callback) => {
if (decrypted) {
console.log('data is already decrypted');
processEvent(event, context, callback);
} else {
console.log('data is NOT already decrypted: ' + encrypted);
// Decrypt code should run once and variables stored outside of the function
// handler so that these are decrypted once per container
const kms = new AWS.KMS();
console.log('got kms object');
try {
var myblob = new Buffer(encrypted, 'base64');
console.log('got blob');
kms.decrypt({ CiphertextBlob: myblob }, (err, data) => {
console.log('inside decrypt callback');
if (err) {
console.log('Decrypt error:', err);
return callback(err);
}
console.log('try to get plaintext');
decrypted = data.Plaintext.toString('ascii');
console.log('decrypted: ' + decrypted);
processEvent(event, context, callback);
});
}
catch(e) {
console.log("exception: " + e);
callback('error!');
}
}
};
Here is what I get when I run the function:
这是我运行函数时得到的结果:
data is NOT already decrypted: AQECAH.....
got kms object
got blob
END RequestId: 9b7af.....
Task timed out after 30.00 seconds
When I run the function, it times out. I see that it prints all log statements up to "got blob" then it just stops. No error message other than timed out. I've tried increasing timeout and memory for the Lambda but it just makes it wait longer before timing out.
当我运行该功能时,它会超时。我看到它打印所有日志语句到“blob”然后它就停止了。除超时之外没有错误消息。我已经尝试增加Lambda的超时和内存,但它只是让它在超时之前等待更长时间。
How is decryption supposed to work when I never tell the app what decryption key to use? The documentation for decrypt
does not mention any way to tell it what decryption key to use. And I am not getting any error messages that would tell me it doesn't know what key to use or anything.
当我从未告诉应用程序使用什么解密密钥时,如何解密?解密文档没有提到告诉它使用什么解密密钥的方法。而且我没有收到任何错误消息,告诉我它不知道使用什么密钥或任何东西。
I've tried going through this tutorial but it just tells me to do the same thing I've already done. I've also read all of the environment variables documentation but it says that what I'm doing should just work.
我已经尝试过本教程,但它只是告诉我做我已经做过的同样的事情。我还阅读了所有环境变量文档,但它说我正在做的事情应该正常工作。
1 个解决方案
#1
7
Decrypting the environment variables requires an API call to the KMS service. To do that, your Lambda function must have access to the internet since there are no VPC endpoints for KMS. So, if your Lambda is running in a VPC, make sure you have a NAT configured for the VPC to allow your Lambda function to call KMS.
解密环境变量需要对KMS服务进行API调用。为此,您的Lambda函数必须能够访问Internet,因为KMS没有VPC端点。因此,如果您的Lambda在VPC中运行,请确保为VPC配置了NAT,以允许您的Lambda函数调用KMS。
#1
7
Decrypting the environment variables requires an API call to the KMS service. To do that, your Lambda function must have access to the internet since there are no VPC endpoints for KMS. So, if your Lambda is running in a VPC, make sure you have a NAT configured for the VPC to allow your Lambda function to call KMS.
解密环境变量需要对KMS服务进行API调用。为此,您的Lambda函数必须能够访问Internet,因为KMS没有VPC端点。因此,如果您的Lambda在VPC中运行,请确保为VPC配置了NAT,以允许您的Lambda函数调用KMS。