Facilitating the Spread of Knowledge and Innovation in Professional Software Development

Write for InfoQ


Choose your language

InfoQ Homepage News HashiCorp Supports AWS Lambda Extensions for Serverless Security

HashiCorp Supports AWS Lambda Extensions for Serverless Security

This item in japanese

HashiCorp has recently announced the public preview of the HashiCorp Vault AWS Lambda Extension. The new service is based on the recently launched AWS Lambda Extensions API and allows a serverless application to securely retrieve secrets from HashiCorp Vault without making the Lambda functions Vault-aware.

The extension reads secrets from HashiCorp Vault and writes them to disk before the AWS Lambda function starts. It authenticates using AWS IAM, relying on the same identity the Lambda function is running. As the Runtime API and the Extensions API are independent endpoints, the new approach makes the external security approach transparent to the Lambda function itself.


The Vault AWS Lambda Extension can retrieve different secrets from Vault and writes the JSON response from HashiCorp Vault to the configured destination. It is available in the HashiCorp GitHub repo, which includes examples with the Amazon ARN to be referenced in the Lambda function.

"This is going to make a lot of folks' lives a lot easier," predicts Lucy Davinhart, senior automation engineer at Sky Betting & Gaming. Andrey Devyatkin, DevSecOps consultant, explains the main benefit of the new approach:

This is neat. Before you would have to read secrets via Terraform and pass them via environment variables which didn’t work well with dynamic secrets. I wonder if extension will be able to keep leases renewed.

Fetching configuration settings and secrets before the function invocation will be a common use case, but Lambda extensions can be used in other scenarios, to integrate Lambda functions with external monitoring, observability, security, and governance tools. Julian Wood, serverless developer advocate at AWS, explains other possible use cases: capturing diagnostic information before, during, and after function invocation or automatically instrumenting code without code changes. Another option is detecting and alerting on function activity through hardened security agents.

Lumigo, one of the first AWS partner introducing a Lambda Extension, explains in an article the problem Lambda Extensions solve:

Lambda Extensions provide a new way to integrate Lambda with your monitoring and security tools (...) It’s an important step forward and brings us much closer to parity with the kind of open access that vendors have long enjoyed on our serverful counterparts.

Both the HashiCorp Vault AWS Lambda extension and the AWS Lambda Extensions are currently in preview.

Rate this Article