Skip to content
This repository was archived by the owner on Apr 7, 2026. It is now read-only.

README.md

Latest commit

 

History

History
65 lines (53 loc) · 1.55 KB

README.md

File metadata and controls

65 lines (53 loc) · 1.55 KB

kmsDependency

A Lambda function which implements a Custom Resource for Cloud Formation that can decrypt a single value

Installation

Create a Role with ./create-role.sh. This creates a new stack with the appropriate permissions for the function.

Deploy the lambda function with ./deploy-lambda.sh. Now the function can be used to do nothing :) via a Cloud Formation Custom Resource.

Cloud Formation Usage

Use the function inside your Cloud Formation template by declaring a custom resource, Custom::KmsDependency.

The Custom::KmsDependency takes any parameters and returns them as outputs.

Example Output

{
  "DecryptedValue": "secretValue"
}

Extended Example with Stack

This is an example of how to reference the decrypted value returned by KMS. Note: In real life usage, the decrypted value should not be output from the Stack.

"Parameters": {
  "EncryptedValue": {
    "Description": "Some encrypted value, must start with kms: or kmsb:",
    "Type": "String",
    "Default": "kms:<some_encrypted_string>"
  }
},
"Resources": {
  "KMS": {
    "Type": "Custom::KmsDependency",
    "Properties": {
      "ServiceToken": { "Fn::Join": [ "", [
        "arn:aws:lambda:",
        { "Ref": "AWS::Region" },
        ":",
        { "Ref": "AWS::AccountId" },
        ":function:kmsDependency"
      ] ] },
      "EncryptedValue": { "Ref": "EncryptedValue" }
    }
  },
  "Outputs": {
    "DecryptedValue": {
      "Value": {
        "Fn::GetAtt": ["KMS", "DecryptedValue"]
      },
      "Description": "The decrypted value."
    }
  }
}