We are launching a set of tools to securely manage secrets and environment variables in your SST apps, called Config.

You can read more about it in detail over on our docs. The Config libraries include:

  1. Constructs to define them
    1. Config.Secret
    2. Config.Parameter
  2. CLI to set secrets sst secrets [action]
  3. Lambda helpers to fetch them @serverless-stack/node/config
    • Throws an error if they are not defined
    • Fetches them automatically at runtime
    • Provides typesafety and autocomplete

Behind the scenes, Secrets and Parameters are stored as AWS SSM Parameters in your AWS account. They are stored with the Standard Parameter type and Standard Throughput.

This makes Config free to use in your SST apps.

Launch event

We hosted a launch livestream on YouTube where we did a deep dive of the Config and its internals.

The video is timestamped and here’s roughly what we covered.

  1. Intro
  2. Demo
  3. Deep Dive
    1. Deep dive into the Parameters code
    2. Parameter vs Lambda environment variables
    3. Deep dive into the Secrets code
    4. IAM permission for fetching secrets
    5. CLI command sst secrets
    6. Secrets fallback
  4. Q&A
    1. Q: What is the AWS cost of using Config?
    2. Q: What does the SSM path look like?
    3. Q: Managing secrets in my CI pipeline
    4. Q: Managing secrets across AWS accounts
    5. Q: Accessing Config inside or outside the handler
    6. Q: Would changing a secret require redeployment?
    7. Q: Using Config for tests
    8. Q: SSM vs Secret Manager
    9. Q: Export secrets to a .env file
    10. Q: Reference Config across multiple SST apps

Get started

To get started, define a secret in your stacks.

import { Config, StackContext } from "@serverless-stack/resources";

export default function SecretsStack({ stack }: StackContext) {
  const STRIPE_KEY = new Config.Secret(stack, "STRIPE_KEY");

  return { STRIPE_KEY };
}

Use the config option to pass the secret into the function.

import { use, Function, StackContext } as sst from "@serverless-stack/resources";
import SecretsStack from "./SecretsStack";

export default function MyStack({ stack }: StackContext) {
  const { STRIPE_KEY } = use(SecretsStack);

  new Function(stack, "MyFunction", {
    handler: "lambda.handler",
    config: [STRIPE_KEY],
  }
};

In your terminal, run the sst secrets command to set a value for the secret:

$ npx sst secrets set STRIPE_KEY sk_test_abc123

Finally in your function code, use the @serverless-stack/node/config library to reference the secret value:

import { Config } from "@serverless-stack/node/config";

export const handler = async () => {
  console.log(Config.STRIPE_KEY);

  // ...
};

To learn more check out our docs.