Secrets

The Secrets section, in the LambdaSharp Module, lists which KMS keys can be used to decrypt parameter values. The module IAM role will get the mks:Decrypt permission to use these keys.

NOTE: it is strongly recommended to use the Secrets module parameter instead of the Secrets module section. The latter hard-codes the KMS keys that can be used by the module, which may be convenient for prototyping, but reduces the flexibility for deploying the module in different environments.

Syntax

Secrets:
  - Secret-Alias-or-ARN

Examples

When KMS key is referenced by an alias, it is resolved on the account used when deploying the CloudFormation template.

Secrets:
  - alias/KeyAlias

When a KMS key is referenced using an ARN, it is used as is.

Secrets:
  - arn:aws:kms:us-east-1:123456789012:key/abcdef12-3456-7890-abcd-ef1234567890

Notes

AWS does not allow referencing the built-in KMS key for the AWS Parameter Store (i.e. aws/ssm).