docs: adds aws lambda secret sync docs

2026-01-09 07:28:09 -05:00 · 2025-11-18 20:37:21 +05:30
parent 867a818728
commit f43ecb29ef
2 changed files with 122 additions and 0 deletions
--- a/docs/docs.json
+++ b/docs/docs.json
@@ -490,6 +490,10 @@
                "pages": [
                  "integrations/platforms/ansible",
                  "integrations/platforms/apache-airflow",
+                  {
+                    "group": "AWS",
+                    "pages": ["integrations/platforms/aws/lambda"]
+                  },
                  {
                    "group": "Kubernetes Operator",
                    "pages": [
--- a/docs/integrations/platforms/aws/lambda.mdx
+++ b/docs/integrations/platforms/aws/lambda.mdx
@@ -0,0 +1,118 @@
+---
+title: "AWS Lambda"
+sidebarTitle: "AWS Lambda"
+description: "Keep AWS Lambda environment variables in sync with Infisical"
+---
+
+Learn how to sync Infisical secrets to AWS Lambda regardless of how you deploy your function.  
+This guide covers the following strategies:
+
+- Infisical SDKs
+- AWS Secrets Manager integration
+- AWS Systems Manager Parameter Store integration
+- AWS CLI
+
+## Choose your sync strategy
+
+### 1. Fetch secrets at runtime with Infisical SDKs
+
+If you control the Lambda code, the simplest method is to fetch secrets directly from Infisical using one of our SDKs.  
+You can read more about the Infisical SDKs [here](/sdks/overview).
+
+### 2. Sync secrets using AWS Secrets Manager
+
+Infisical can continuously push secrets into AWS Secrets Manager.  
+Configure a secret sync from your Infisical project, and Infisical will keep your Secrets Manager values up to date. Your Lambda function can then reference those secrets directly.  
+Learn more about the AWS Secrets Manager integration [here](/integrations/secret-syncs/aws-secrets-manager).
+
+### 3. Sync secrets using AWS Systems Manager Parameter Store
+
+Similarly, Infisical can automatically sync secrets into AWS Systems Manager Parameter Store.  
+Once configured, your Parameter Store values will remain up to date and can be referenced by your Lambda function.  
+Learn more about the Parameter Store integration [here](/integrations/secret-syncs/aws-parameter-store).
+
+### 4. Push environment variables directly using the AWS CLI
+
+For straightforward workflows or quick rotations, you can push Infisical secrets directly into Lambda environment variables using the AWS CLI.
+
+## Prerequisites
+
+- AWS CLI v2 installed and authenticated
+- `jq` installed locally
+- An IAM principal with `lambda:UpdateFunctionConfiguration`
+- Infisical CLI (`infisical`) configured
+
+### IAM permissions
+
+Attach a policy like the one below to the IAM user or role responsible for updating Lambda configuration:
+
+```json
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Sid": "LambdaConfig",
+      "Effect": "Allow",
+      "Action": ["lambda:UpdateFunctionConfiguration"],
+      "Resource": "*"
+    }
+  ]
+}
+```
+
+<Note>
+  {" "}
+  Replacing Lambda environment variables using the AWS CLI overwrites the entire
+  `Variables` object. Make sure to export your current values so you can import them
+  into Infisical.{" "}
+</Note>
+
+#### Push secrets to Lambda
+
+Use the Infisical CLI to export secrets as JSON and pass them to the AWS CLI.
+The example below targets a project by ID, but you can also use the `--project` and `--env` flags.
+Learn more about `infisical export` [here](/cli/commands/export#infisical-export).
+
+```bash
+FUNCTION_NAME=infisical-env-test
+REGION=us-east-1
+PROJECT_ID=1234567890
+
+aws lambda update-function-configuration \
+  --function-name "$FUNCTION_NAME" \
+  --region "$REGION" \
+  --environment "$(
+    infisical export \
+      --format=json \
+      --projectId="$PROJECT_ID" \
+    | jq 'map({(.key): .value}) | add | {Variables: .}'
+  )"
+```
+
+On success, the updated `Environment.Variables` block will be returned.
+Verify the values in the Lambda console or by invoking the function.
+
+<Tip>
+  {" "}
+  Automate this step in CI/CD. Run `infisical export` using an Infisical API key
+  scoped to your project and environment, and trigger the sync as part of your deployment
+  workflow.{" "}
+</Tip>
+
+#### Test your Lambda
+
+Deploy or update your Lambda function, then run a test invocation to confirm the secrets were loaded correctly.
+For example, a simple Node.js handler might log the environment variables:
+
+```javascript
+export const handler = async () => {
+  const allEnvVars = process.env;
+  console.log("Environment Variables:", JSON.stringify(allEnvVars, null, 2));
+};
+```
+
+<Tip>
+  We recommend using automatic secret syncs to AWS Secrets Manager or AWS
+  Systems Manager Parameter Store to keep your secrets continuously in sync and
+  avoid manually updating the Lambda configuration.
+</Tip>