up:: [[AWS Lambda MOC]] same:: [[AWS Lambda Return Values for API Triggering]], [[To Build a Lambda from a Dockerfile in CDK]] # Passing Secrets into Lambdas in CDK Do not pass Secret Manager values via environment variables in your CDK Stack! This is a problem for two reasons: 1. This exposes the Secret in the generated CF templates. 2. This only pulls the Secret value at deploy time **only if** the Secrets construct or Lambda in question will be rebuilt upon deploy or synthesis. If the keys are rotated, and the constructs in the CDK stack aren't changed, this won't be picked up by the app. To address this, handle Secret Manager secrets in the following way: 1. Get the secret name only from the Secret Manager construct and pass **that** into the Lambda as an environment variable. 2. In the Lambda function code, use boto3 (if using Python) to create a session and use the session to create a Secrets Manager client 3. Get the secret value from the secret name by calling `get_secret_value()` from the client. ## Code Example ```python session = boto3.session.Session() client = session.client(service_name="secretsmanager", region_name=REGION) get_secret_value_response = client.get_secret_value(SecretId=secret_name) ``` [[SAM-90 Instagram Reharvest Service#^ev0dd2|Source]]