Retrieving secrets from S3

I have a private key stored in S3 that one of my Lambda functions needs for signing at runtime. I’m trying to figure out best practices for accessing this key and caching it in the application.

Since the key won’t change, it doesn’t make much sense to get it from s3 over and over again every time we need to sign something with it.

Any suggestions on how to efficiently and securely handle this? Maybe I’m overthinking it …

Thinking one approach is to cache it in a global or class variable. That effectively caches within the Lamba Execution context so the logic at least won’t be ran on every requests but only on a cold start.

Why not to store it in SSM as a secret key? It need to be S3?

1 Like

This is a good idea. I haven’t used SSM before. Will give it a try.

1 Like

@punkracy Good call :grin:

Docs Under the " SSM Parameter Store Support" section