New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add KMS key selection to AWS provider #2996

DonMcNamara opened this Issue Dec 20, 2016 · 3 comments


None yet
4 participants
Copy link

DonMcNamara commented Dec 20, 2016

This is a Feature Proposal


Add the ability to select a KMS key in the AWS provider and/or function configuration.

AWS Lambdas now support environment variables and selecting a KMS key used at runtime. The KMS key is used by AWS to encrypt environment variables at rest. Serverless configuration should allow selecting a KMS key.

This would only be a small change to allow full configuration of the KMS key.

For feature proposals:

  • Use case: Use a KMS key other than the default lambda KMS key.
  • Possible configuration example:
  kmsKeyArn: arn:aws:kms:us-east-1:1234567890:key/76aa38ca-17b7-4c96-9a89-38df27cbeafe

  kmsKeyArn: arn:aws:kms:us-east-1:1234567890:key/76aa38ca-17b7-4c96-9a89-38df27cbeafe

Similar or dependent issues:

Additional Data

@DonMcNamara DonMcNamara referenced this issue Dec 20, 2016


add KMS key to profile and function config. #2998

7 of 7 tasks complete

@pmuens pmuens added the feature label Dec 21, 2016


This comment has been minimized.

Copy link

aasmoura commented Apr 9, 2017

Any news on this? It would be an amazing feature.


This comment has been minimized.

Copy link

pmuens commented Apr 11, 2017

@aasmoura we had the PR #2998 from @DonMcNamara which needed some additional updates but was almost there. Maybe it's worth to look into it and build a plugin based on it.

There are currently no direct plans to add this feature into core, but some more feedback on the potential use-cases / problems you face without this in place would be really helpful!


This comment has been minimized.

Copy link

marcfielding1 commented May 23, 2017

Hrmm this is a tough one since the point of encrypting it is to keep it secure, but that point is negated by having stuff you want to encrypt in the yml files, the main benefit I think is as part of a CI pipeline where on deployment to a new stage the CI pipeline pulls from a private repo with the correct config and env variables in it, you'd probably then want to encrypt them via KMS.

Then I guess that if you allow KMS encryption via serverless.yml then you're encouraging people to put keys in code all over the place - my general feeling is, because this is a security feature then it should be implemented. In the EU currently we're about to get new regulation around making systems and user data as secure possible, and without this companies are going to have reservations about serverless as a framework.

@pmuens pmuens referenced this issue May 24, 2017


Add KMS key support #3672

6 of 6 tasks complete

@pmuens pmuens added pr/in-progress and removed help wanted labels May 26, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment