Secrets
The Secrets
section, in the LambdaSharp Module, lists which KMS keys can be used to decrypt parameter values. The module IAM role will get the mks:Decrypt
permission to use these keys.
NOTE: it is strongly recommended to use the Secrets
module parameter instead of the Secrets
module section. The latter hard-codes the KMS keys that can be used by the module, which may be convenient for prototyping, but reduces the flexibility for deploying the module in different environments.
Syntax
Secrets:
- Secret-Alias-or-ARN
Examples
When KMS key is referenced by an alias, it is resolved on the account used when deploying the CloudFormation template.
Secrets:
- alias/KeyAlias
When a KMS key is referenced using an ARN, it is used as is.
Secrets:
- arn:aws:kms:us-east-1:123456789012:key/abcdef12-3456-7890-abcd-ef1234567890
Notes
AWS does not allow referencing the built-in KMS key for the AWS Parameter Store (i.e. aws/ssm
).