Config
We are launching a set of tools to securely manage secrets and environment variables in your SST apps, called Config
.
You can read more about it in detail over on our docs. The Config
libraries include:
- Constructs to define them
Config.Secret
Config.Parameter
- CLI to set secrets
sst secrets [action]
- Lambda helpers to fetch them
@serverless-stack/node/config
- Throws an error if they are not defined
- Fetches them automatically at runtime
- Provides typesafety and autocomplete
Behind the scenes, Secrets and Parameters are stored as AWS SSM Parameters in your AWS account. They are stored with the Standard Parameter type and Standard Throughput.
This makes Config free to use in your SST apps.
Launch event
We hosted a launch livestream on YouTube where we did a deep dive of the Config and its internals.
The video is timestamped and here’s roughly what we covered.
- Intro
- Demo
- Deep Dive
- Deep dive into the Parameters code
- Parameter vs Lambda environment variables
- Deep dive into the Secrets code
- IAM permission for fetching secrets
- CLI command
sst secrets
- Secrets fallback
- Q&A
- Q: What is the AWS cost of using Config?
- Q: What does the SSM path look like?
- Q: Managing secrets in my CI pipeline
- Q: Managing secrets across AWS accounts
- Q: Accessing Config inside or outside the handler
- Q: Would changing a secret require redeployment?
- Q: Using Config for tests
- Q: SSM vs Secret Manager
- Q: Export secrets to a .env file
- Q: Reference Config across multiple SST apps
Get started
To get started, define a secret in your stacks.
Use the config option to pass the secret into the function.
In your terminal, run the sst secrets
command to set a value for the secret:
Finally in your function code, use the @serverless-stack/node/config
library to reference the secret value:
To learn more check out our docs.