DEV Community

Cover image for Managing Environment Variables and Secrets in AWS Lambda (Node.js + SAM)
Márcio Coelho
Márcio Coelho

Posted on • Edited on

Managing Environment Variables and Secrets in AWS Lambda (Node.js + SAM)

#aws #node #lambda #programming

We’ll dive into configuring environment variables and securely managing secrets using AWS Secrets Manager in an AWS Lambda function built with Node.js and AWS SAM.

You'll learn how to:

  • Define environment variables using Parameters in template.yml
  • Access them inside your Lambda function
  • Securely retrieve secrets from Secrets Manager
  • Add necessary IAM permissions to your Lambda role

Step 1: Define Parameters in template.yml

Add environment-specific parameters at the top of your SAM template:

Parameters: ENVIRONMENT: Type: String Default: dev SecretName: Type: String Description: Name of the AWS Secrets Manager secret
Enter fullscreen mode Exit fullscreen mode

Step 2: Add Environment Variables and IAM Permissions

Update your Lambda function configuration:

Resources: HelloWorldFunction: Type: AWS::Serverless::Function Properties: Handler: index.handler Runtime: nodejs22.x Environment: Variables: ENV: !Ref ENVIRONMENT SECRET_NAME: !Ref SecretName Policies: - AWSSecretsManagerGetSecretValuePolicy: SecretArn: !Sub arn:aws:secretsmanager:${AWS::Region}:${AWS::AccountId}:secret:${SecretName}*
Enter fullscreen mode Exit fullscreen mode

🔐 What This Does

  • Sets ENV and SECRET_NAME as environment variables
  • Grants the Lambda function permission to fetch secrets using the Secrets Manager policy

Step 3: Access Environment Variables in Your Code

In your index.js or index.ts:

const env = process.env.ENV; const secretName = process.env.SECRET_NAME; console.log(`Running in ${env} environment`);
Enter fullscreen mode Exit fullscreen mode

Step 4: Fetch a Secret from AWS Secrets Manager

Install the AWS SDK v3 module if not already installed:

npm install @aws-sdk/client-secrets-manager
Enter fullscreen mode Exit fullscreen mode

In your Lambda code:

import { SecretsManagerClient, GetSecretValueCommand } from "@aws-sdk/client-secrets-manager"; const getSecretValue = async (secretName: string) => { const client = new SecretsManagerClient({}); const command = new GetSecretValueCommand({ SecretId: secretName }); const response = await client.send(command); return response.SecretString ? JSON.parse(response.SecretString) : null; }; export const handler = async () => { const secret = await getSecretValue(process.env.SECRET_NAME!); console.log("Fetched secret:", secret); };
Enter fullscreen mode Exit fullscreen mode

Conclusion

You've now learned how to:

✅ Use Parameters in template.yml for dynamic environment configuration
✅ Inject environment variables into our Lambda function
✅ Securely fetch secrets from AWS Secrets Manager
✅ Grant minimal IAM access for secrets usage

Top comments (0)