Using AWS Secrets Manager to manage APM authentication keysedit

When using the config options ELASTIC_APM_SECRET_TOKEN or ELASTIC_APM_API_KEY for authentication of the APM Lambda Extension with Elastic APM, the corresponding keys are specified in plain text in the environment variables of your Lambda function. If you prefer to securely store the authentication keys, you can use the AWS Secrets Manager and let the APM Lambda Extension retrieve the actual keys from the AWS Secrets Manager. Follow the instructions below to set up the AWS Secrets Manager with the APM Lambda Extension.

Step 1: Create a secret in the AWS Secrets Manager.edit

Create a secret in the AWS Secrets Manager for the APM Secret Token or the APM API key, depending on which one you prefer to use. Make sure to create the secret as a Plaintext typed secret and ensure it is created in the same AWS region as your target Lambda function that will use the secret.

We recommend using the AWS-managed encryption key aws/secretsmanager. However, you can optionally create and select a custom KMS key for encryption. Note that with a custom encryption key, you will need additional key permissions on your Lambda function (see Step 2).

In the Web Console of the AWS Secrets Manager, navigate to Store a new secret, select Other type of secret as the secret type, and choose the Plaintext tab for entering the secret value. Enter your APM secret token or APM API key value as a plain string (not as a JSON key value pair).

image showing the creation of a plaintext secret in Secrets Manager

Click Next, choose a secret name, and finalize the creation of the secret.

Remember your chosen secret name. You will use the secret name as the value for the config options ELASTIC_APM_SECRETS_MANAGER_SECRET_TOKEN_ID or ELASTIC_APM_SECRETS_MANAGER_API_KEY_ID when configuring your APM Lambda Extension.

Step 2: Add permissions to your AWS Lambda functionedit

For your Lambda function to be able to retrieve the authentication key from the AWS Secrets Manager, you need to provide the following permissions to your Lambda function.

  • In the Web Console of your AWS Lambda function navigate to ConfigurationPermissions and click on the link in the Execution Role section. This will lead you to the Web Console for the corresponding IAM role.
  • Select Create inline policy in the Add permission dropdown button and select the JSON tab to define the following JSON-based policy:

    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "secretsmanager:GetSecretValue"
                ],
                "Resource": [
                    "THE_ARN_OF_YOUR_SECRET"
                ]
            },
            { 
                "Effect": "Allow",
                "Action": [
                    "kms:Decrypt"
                ],
                "Resource": [
                    "THE_ARN_OF_YOUR_CUSTOM_KMS_KEY"
                ]
            }
        ]
    }

    This permission is ONLY needed if you use a custom KMS encryption key for your secret

  • Review and save the policy.

Step 3: Configure the APM Lambda extensionedit

Finally, you will need to configure the APM Lambda extension to use the secret from the Secrets Manager instead of the value provided through ELASTIC_APM_SECRET_TOKEN or ELASTIC_APM_API_KEY.

Provide the name of the secret you created in Step 1 as the value for the ELASTIC_APM_SECRETS_MANAGER_SECRET_TOKEN_ID or ELASTIC_APM_SECRETS_MANAGER_API_KEY_ID config option, respectively, depending on whether you want to use the APM Secret Token or the APM API key.

The language-specific instructions describe how to set environment variables for configuring AWS Lambda for Elastic APM:

That’s it. With the first invocation (cold start) of your Lambda function you should see a log message from the APM Lambda extension indicating that a secret from the secrets manager is used:

"Using the APM secret token retrieved from Secrets Manager."