I have AWS Lambda environment variables locally that would like to encrypt with a specific KMS key and assign to an Lambda function.
I'd thought that something like
aws lambda update-function-configuration --function-name functionName --cli-input-json file://config.json
with config.json
as
{
"Environment": {
"Variables": {
"var01": "Variable one",
"var02": "Variable two"
}
},
"KMSKeyArn": "arn:aws:kms:us-west-1:09238573743:key/...."
}
would accomplish this. But the variables end up un-encrypted. The "KMSKeyArn" seems only to be used to decrypt (e.g. within the function's handler with boto3.client('kms').decrypt
).
How do I use the AWS CLI to take local (unencrypted) values, ideally specified on JSON, and assign them as encrypted values for Lambda function's environment variables using a specific KMS key (and assure that same key is assigned to the function for use by boto3.client('kms').decrypt
?
I'd also like to be sure that my variables are never transmitted as plain text (that is, that the encryption occurs locally), if possible.