XtraSecurity + AWS Lambda Integration

Manage secrets in AWS Lambda functions using XtraSecurity.

Lambda Layer Setup

Create Lambda Layer

# Create layer directory
mkdir -p layer/nodejs
cd layer/nodejs

# Install SDK
npm install @xtrasecurity/sdk

# Package layer
cd ..
zip -r xtrasecurity-layer.zip nodejs/

Upload Layer to AWS

aws lambda publish-layer-version \
  --layer-name xtrasecurity-sdk \
  --zip-file fileb://xtrasecurity-layer.zip \
  --compatible-runtimes nodejs18.x

Lambda Function Setup

Environment Variables

Environment:
  Variables:
    XTRA_API_KEY: sk_live_xxx
    XTRA_PROJECT_ID: proj_xxx

Add Layer

1. AWS Lambda → Function → Layers
2. Click "Add a layer"
3. Select "xtrasecurity-sdk"
4. Click "Add"

Code Example

const { XtraClient } = require('@xtrasecurity/sdk');

const xtra = new XtraClient({
  apiKey: process.env.XTRA_API_KEY,
  projectId: process.env.XTRA_PROJECT_ID,
  cache: { enabled: true, ttl: 3600 }
});

exports.handler = async (event) => {
  try {
    const dbPassword = await xtra.getSecret('db_password');
    const apiKey = await xtra.getSecret('stripe_key');
    
    // Use secrets
    const db = await connectDatabase(dbPassword.value);
    
    return {
      statusCode: 200,
      body: JSON.stringify({ message: 'Success' })
    };
  } catch (error) {
    console.error('Error:', error);
    return {
      statusCode: 500,
      body: JSON.stringify({ error: error.message })
    };
  }
};

With VPC

// For RDS/database access in VPC
const { XtraClient } = require('@xtrasecurity/sdk');

const xtra = new XtraClient({
  apiKey: process.env.XTRA_API_KEY,
  projectId: process.env.XTRA_PROJECT_ID
});

exports.handler = async (event) => {
  // Get RDS password
  const rdsPassword = await xtra.getSecret('rds_password');
  
  const connection = await mysql.createConnection({
    host: process.env.DB_HOST,
    user: process.env.DB_USER,
    password: rdsPassword.value,
    database: process.env.DB_NAME
  });
  
  // Query database
  const results = await connection.query('SELECT * FROM users');
  
  return {
    statusCode: 200,
    body: JSON.stringify(results)
  };
};

Best Practices

1. Use Lambda layers for shared code
2. Enable caching to reduce API calls
3. Set IAM role with least privilege
4. Monitor Lambda logs for secret access
5. Rotate secrets every 30 days