Environment Variables - Serverless Architectures with AWS Lambda

Environment Variables

Software Development Life Cycle (SDLC) best practice dictates that developers separate their code and their config. You can achieve this by using environment variables with Lambda. Environment variables for Lambda functions enable you to dynamically pass data to your function code and libraries without making changes to your code. Environment variables are key-value pairs that you create and modify as part of your function configuration. By default, these variables are encrypted at rest. For any sensitive information that will be stored as a Lambda function environment variable, we recommend you encrypt those values using the AWS Key Management Service (AWS KMS) prior to function creation, storing the encrypted cyphertext as the variable value. Then have your Lambda function decrypt that variable in memory at execution time.

Here are some examples of how you might decide to use environment variables:

  • Log settings (FATAL, ERROR, INFO, DEBUG, etc.)

  • Dependency and/or database connection strings and credentials

  • Feature flags and toggles

Each version of your Lambda function can have its own environment variable values. However, once the values are established for a numbered Lambda function version, they cannot be changed. To make changes to your Lambda function environment variables, you can change them to the $LATEST version and then publish a new version that contains the new environment variable values. This enables you to always keep track of which environment variable values are associated with a previous version of your function. This is often important during a rollback procedure or when triaging the past state of an application.