At times your code needs to access sensitive information such as private keys, passwords, and access tokens. You should avoid storing these in your serverless.yml. Seed lets you store them as secret environment variables through the Seed console.

When you first create a Seed project, an encryption key is generated and stored in your AWS KMS account. Seed uses this key to encrypt the secret value when you create a secret variable, and stores the encrypted value. And upon deployment, Seed decrypts the value and sets it as a Lambda environment variable.

Seed encrypts your secrets using your AWS KMS keys

You can then access them in your Node.js Lambda functions using the process.env object.

To create a secret variable, navigate to the stage in your Seed console and select Settings.

Stage Settings

Select Show Env Variables.

Show Env Variables

Enter the Key and Value for the new secret, and click Add.

Create Secret Variable

Note that the newly created secrets will take effect only after the next deployment to this stage.

Secret variables take precedence over the other stage variables defined in serverless.yml. If you were to define a secret variable, and the same variable is defined in the yaml file; the value defined in serverless.yml is overridden.

Secrets take precedence over other environment variables

This is useful when you are developing on your local where your Lambda functions are not going to have access to the secrets from the Seed console.

For example, we just created a secret variable DB_PASSWORD for the production stage. The same variable is also defined in the serverless.yml.

service: service-name

provider:
  name: aws
  environment:
    DB_PASSWORD: '1234567890'

When invoking your function on any other environment other than production, the process.env.DB_PASSWORD returns the value defined in serverless.yml. And in the case of production it returns the secret value that you had set in the Seed console.

export function main(event, context, callback) {

  console.log(process.env.DB_PASSWORD);

  ...
}

Finally, you can access your secrets just as you would access any other environment variable in Lambda.