I have retrieved my ssh private key from AWS Secrets and will be passing it in paramiko for ssh. But since the library accepts only filenames I cannot pass the private key string I retrieved from secrets manager. So I am thinking to write the string to a file in /tmp
.
But I am wondering are there any security implications of writing sensitive data to /tmp
in lambda.
But since the library accepts only filenames I cannot pass the private key string...
This is not entirely true, paramiko.RSAKey.from_private_key can read from string buffers as well:
import io
import paramiko
# Read private key from AWS secrets
private_key = ...
private_key_buffer = io.StringIO()
private_key_buffer.write(private_key)
private_key_buffer.seek(0)
private_key = paramiko.RSAKey.from_private_key(private_key_buffer)
ssh = paramiko.SSHClient()
ssh.connect(pkey = private_key, ...)
This means you don't have to write it to a temporary location in order for the library to read it.
If you still prefer to use /tmp
, keep in mind that this location may persist between invocations of the same functions. Other than this, the /tmp
location will be cleaned when it is assigned to another function execution.