问题描述
data "aws_ssm_parameter" "foo" {
name = "password"
with_decryption = false
}
module "lambda_env_vars" {
New_password = data.aws_ssm_parameter.foo.value
}
plan output:-
New_password = q#iuws##)9ssdhs(some encryptrd value)
如何在lambda函数中将其解密为纯文本?
我一直在尝试的示例代码。
import boto3
import os
from base64 import b64decode
def lambda_handler(event,context):
encrypted = os.environ['New_password']
decrypted = boto3.client('kms').decrypt(CiphertextBlob=b64decode(encrypted))['Plaintext']
print("Decrypted value:",decrypted)
解决方法
经过研究,我发现AWS Encryption SDK以加密方式将加密上下文绑定到加密数据reference上,因此我们必须使用相同的密钥进行解密。 EncryptionContext 为我解决了这个问题。
注意:这是Node js代码
const aws = require('aws-sdk')
const kms = new aws.KMS()
exports.handler = async (event,context,callback) => {
var password_json = JSON.parse(process.env.New_password)
let params = {
CiphertextBlob: Buffer.from(password_json['value'],'base64'),EncryptionContext: {
'PARAMETER_ARN': password_json['arn']
}
}
let secret = null
const decrypted = await kms.decrypt(params).promise()
secret = decrypted.Plaintext.toString('utf-8')
return secret;
}
属性更改
module "lambda_env_vars" {
New_password = jsonencode(data.aws_ssm_parameter.foo)
}
lambda控制台上的ENV vars
New_password {"arn":"arn:aws:ssm:xxxxx:41xxxxx:parameter/password","id":"password","name":"password","type":"SecureString","value":"xxxxxxxx","version":2,"with_decryption":false}
通过这种方式(jsonencode),我们还可以避免在代码内部对参数ARN进行硬编码。
,下面是带有硬编码参数ARN的python代码
import base64
import boto3
import os
def decrypt(session,secret):
client = session.client('kms')
plaintext = client.decrypt(
CiphertextBlob=bytes(base64.b64decode(secret)),EncryptionContext={
'PARAMETER_ARN': 'arn:aws:ssm:us-east-1:xxxxx:parameter/password'
}
)
return plaintext["Plaintext"]
session = boto3.session.Session()
encrypted = os.environ['New_password']
print decrypt(session,encrypted)