AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY are not being overridden by dotenv

[nnnikolay]

It's quite a wired issue, anyway, I can't find it out why it is like that.

I've developed a small lambda function, which I would like to be able to test locally first.
The main goal of the lambda function is to fetch and handle messages from AWS SQS.

While I'm running that function with help this docker image lambci/lambda nothing happens, it waits for 10+ seconds and then stops it :(

$ docker run -v "$PWD/dist":/var/task lambci/lambda
START RequestId: 915db92a-f5db-11ca-e67e-d25072a4290a Version: $LATEST
END RequestId: 915db92a-f5db-11ca-e67e-d25072a4290a
REPORT RequestId: 915db92a-f5db-11ca-e67e-d25072a4290a	Duration: 11232.60 ms	Billed Duration: 11300 ms	Memory Size: 1536 MB	Max Memory Used: 37 MB
null%                                                                                                                                                                

I'm using dotenv package to load some env-wise data to be able to connect to specific queue etc..
and it looks like that .env file is loaded well (because I can see almost all variables from it), but two main variables can't be overwritten somehow, and I still see your image default values

AWS_ACCESS_KEY_ID: 'SOME_ACCESS_KEY_ID',
AWS_SECRET_ACCESS_KEY: 'SOME_SECRET_ACCESS_KEY',

Why so?

P.S. Looks like because of that my function are not able to make the connection to AWS SQS
P.P.S. Meanwhile when I'm using this package everything is working well

[mhart]

Are you using the -e flag to pass the env variables to docker?

Try docker run -e AWS_ACCESS_KEY_ID -e AWS_SECRET_ACCESS_KEY run -v "$PWD/dist":/var/task lambci/lambda

That will use whatever those variables are set to in your current env. If you want to supply a specific value, use -e AWS_ACCESS_KEY_ID=whatever

[nnnikolay]

Damn it, I completely forgot about the -e option :) Thanks, for the advice.
Looks like it works now!

But I still don't understand why NodeJS could not get them from the .env file. They are listed there. Why they were not available for the application?

Thanks!

[mhart]

It depends on how you're defining them. Are you doing it outside of the Lambda function, at the top-level during require time? Those variables are overridden each time Lambda executes – this is true in the live Lambda environment too – so unless you define them in your function body (which is not a good idea – you should manage your credentials using IAM in Lambda) – they will be overridden by the Lambda environment (or in this case, by the docker-lambda controlling code)

[nnnikolay]

Oh, I did not know that.

I'm doing it like that

var main = function (ctx, cb) {
  // load .env file and place variables into process.env.VARIABLE_NAME
 require('dotenv').config();


...

exports.handler = function (e, ctx, cb) {
  main(ctx, cb);
};

I'm sorry but

you should manage your credentials using IAM in Lambda

Could you please point me to the documentation page where I can see the description how to achieve that?

[mhart]

See https://www.npmjs.com/package/dotenv#what-happens-to-environment-variables-that-were-already-set

[mhart]

Lambda will already set your AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY variables – so you won't be able to override them using dotenv.

Again, you really shouldn't be storing or loading these variables in Lambda itself (for testing it's fine, but you shouldn't be doing it via dotenv – use the -e flag)

Lambda will assign those variables using temporary IAM credentials based on the IAM role that the Lambda is running. That's where you should manage all of your Lambda permissions – using the Role that you've assigned to the Lambda.

See more info here: http://docs.aws.amazon.com/lambda/latest/dg/intro-permission-model.html

[nnnikolay]

Oh ok, now I got it.

Thank you.

[mhart]

Closing as it seems the root cause of the issue has been found 👍