Context
Currently, when using age keys with SopsSyncProvider, users must provide the private key via environment variables or local files at CDK synthesis time. This creates several security and usability drawbacks:
- The private key becomes part of the CDK execution environment.
- CI/CD pipelines must store or inject the key.
- Local key management is required.
- The singleton Lambda must have the key injected as a plain environment variable.
Since SopsSyncProvider already performs decryption inside a Lambda function, it is both safer and more convenient to load the age private key directly from AWS Systems Manager Parameter Store (SecureString) at runtime.
Proposed feature:
CDK API
const sopsProvider = new SopsSyncProvider(this, 'SopsProvider');
// Passing parameter name or a StringParameter reference:
sopsProvider.addAgeKeyFromSsmParameter('/sops/age/private-key');
// OR:
const keyParam = ssm.StringParameter.fromStringParameterName(
this,
'AgeKeyParam',
'/sops/age/private-key',
);
sopsProvider.addAgeKeyFromSsmParameter(keyParam);Implementation Outline
- CDK Constructs
addAgeKeyFromSsmParameter(param: string | IStringParameter, options?: AddAgeKeyFromSsmParameterOptions)
- Store only the parameter name (/sops/age/private-key) in the Lambda environment variable.
- Automatically grant the Lambda:
- ssm:GetParameter
- kms:Decrypt (if SecureString uses a custom CMK)
- Lambda Runtime Logic
- Read parameter name(s) from environment, e.g.:
SOPS_AGE_KEY_PARAMS=/sops/age/private-key
- Call:
getParameter(Name=name, WithDecryption=true)
- Extract the value and use it as AGE_SECRET_KEY in-memory only during sops execution.
- Do not log or persist the value anywhere.
Benefits
Security
- No private key is exposed to the CDK execution environment.
- No private key stored locally or in CI pipelines.
- No plaintext key stored in Lambda environment variables.
- Aligns with AWS‑native secret management (SSM + KMS).
Usability
- Users manage age private keys in a single, secure AWS location.
- Easy integration with existing AWS workflows.
- Supports key rotation seamlessly.
Compatibility
- Does not replace or conflict with existing KMS workflows.
- Only enhances age‑based configurations.
Context
Currently, when using age keys with SopsSyncProvider, users must provide the private key via environment variables or local files at CDK synthesis time. This creates several security and usability drawbacks:
Since SopsSyncProvider already performs decryption inside a Lambda function, it is both safer and more convenient to load the age private key directly from AWS Systems Manager Parameter Store (SecureString) at runtime.
Proposed feature:
CDK API
Implementation Outline
SOPS_AGE_KEY_PARAMS=/sops/age/private-keyBenefits
Security
Usability
Compatibility