Support for decrypting KMS encrypted env files from S3

[danielwhatmuff]

Would be great to be able to encrypt environment files using KMS, upload them to S3 and then have the lambda function decrypt them using an IAM policy. Currently they will be stored in plain text and available to anyone with S3 access.

So you would specify a KMS CMK ID in the Zappa config and a local env file to be encrypted, then when running zappa deploy it encrypts and uploads the env file and adds IAM decrypt policy to the lambda function.

Workflow a bit like this - https://github.com/UKHomeOffice/s3secrets

[Miserlou]

This is, in essence, a duplicate of: #501

I think if you're using S3 env vars for that purpose, you probably want to handle that description at the application layer, so you're not further locked in. It sounds like you want what #501 will offer anyway.

[Miserlou]

Fixed by AWS KMS Env Vars.

[m90]

Fixed by AWS KMS Env Vars.

How does this actually work? From reading the docs it seems to me as if I could put a JSON file structured like this on S3 and refer to it as remote_env when specifying a aws_kms_key_arn:

{
  "MY_SECRET_THING": "<ENCRYPTED_VALUE>"
}

but somehow the Lambda will use the encrypted value instead.