amazon-web-servicesaws-lambda

AWS Lambda: Can I write sensitive data to /tmp


I have retrieved my ssh private key from AWS Secrets and will be passing it in paramiko for ssh. But since the library accepts only filenames I cannot pass the private key string I retrieved from secrets manager. So I am thinking to write the string to a file in /tmp.

But I am wondering are there any security implications of writing sensitive data to /tmp in lambda.


Solution

  • But since the library accepts only filenames I cannot pass the private key string...

    This is not entirely true, paramiko.RSAKey.from_private_key can read from string buffers as well:

    import io
    import paramiko
    
    # Read private key from AWS secrets
    private_key = ...
    
    private_key_buffer = io.StringIO()
    private_key_buffer.write(private_key)
    private_key_buffer.seek(0)
    private_key = paramiko.RSAKey.from_private_key(private_key_buffer)
    
    ssh = paramiko.SSHClient()
    ssh.connect(pkey = private_key, ...)
    

    This means you don't have to write it to a temporary location in order for the library to read it.

    If you still prefer to use /tmp, keep in mind that this location may persist between invocations of the same functions. Other than this, the /tmp location will be cleaned when it is assigned to another function execution.