Just like environment variables are the configuration that's been abstracted away from the source code, we should do the same with secrets. Obviously, these must not be part of the source code and, instead, should be injected during runtime. It's also a good idea to externalize secrets from the function configuration so that they can be reused by other functions in the future. This is part of the reason why we don't use Lambda environment variables to hold secrets.

In AWS, we have two choices for achieving this:

• AWS Systems Manager Parameter Store
• AWS Secrets Manager

Let's start with the Parameter Store. This service is a component of the AWS Systems Manager suite of services that are designed to make life easier when it comes to operationalizing your solutions. Parameter Store can store both configuration items and secrets as key-value pairs, and the data can be encrypted or plain. Items are added to the Parameter Store in a hierarchical way, so, when you're creating the name for your item, you specify the name and the path; for example, all of your database connection parameters for the development environment might be under /app1/dev/database/connection. To get the actual parameter for the port, you could request /app1/dev/database/connection/port, or, more efficiently, you could use the getParametersByPath() API method and specify down to the connection to get all of the parameters under that. Check the SDK documentation for your language to see how each method works.

Moving over to AWS Secrets Manager, we find that this service is more focused on managing the secret itself. Secrets Manager can store a secret and then automatically rotate it periodically on a schedule that you specify. It also has integrations with some of the other AWS services and can trigger a password rotate, set it with a new randomly generated password, and then update the entry.

The similarities between these two services are as follows:

• Both can encrypt your secrets and store them safely
• Both are key-value stores

The only significant difference to call out is cost. Parameter Store is free to use and can store up to 10,000 parameters at a size of up to 4 KB each. Secrets Manager, on the other hand, is $0.40 per secret per month, plus $0.05 per 10,000 API calls. This might not sound like a lot, but it adds up when you have hundreds of secrets with millions of Lambda invocations. This is where you would want to make use of the inherent caching that comes from smart container reuse – which we'll get to later in this section.

Moving on from the environmental context, the following sections will address some of the things we need to be aware of when running at high volume or in production environments.