Rather than exposing the secret during the build stage (sls deploy), figure out a way whereby the secret shall be exposed only during runtime.
Some possible ways:
- Replace all instances of
process.env.SECRET_ENV_VAR with a shim that connects to AWS Secrets Manager and retrieve the secret during runtime
- Encrypts the secret during build stage, and decrypt it during runtime
- Inject the secret into code (not safe, since the secret can be determined by anyone who can see the lambda code)
Rather than exposing the secret during the build stage (
sls deploy), figure out a way whereby the secret shall be exposed only during runtime.Some possible ways:
process.env.SECRET_ENV_VARwith a shim that connects to AWS Secrets Manager and retrieve the secret during runtime