This plugin allows you to use serverless framework to pull in parameter values from S3 when doing a deployment. This allows parameters to be centralized in a limited access s3 bucket, and not have those values visible in the cloudformation template.
Your originization requires automation for all deployments. You have a set of passwords which are for service accounts which need to be centralized and managed by another team (your originization's security team). These passwords need to be embedded in secrets across multiple accounts, but other than the secrets you don't want to expose these passwords in logs or in the cloudformation template itself.
Install the plugin into the directory your serverless.yml is located
npm install serverless-plugin-s3-parametersAdd the decouple plugin to your plugins, and add a custom variable to turn it on
plugins:
- serverless-plugin-s3-parameters
custom:
s3params:
bucket: mybucketname
prefix: lower-environments/
resources:
Parameters:
MySecret:
Type: String
NoEcho: "true"
Description: s3:mysecret.txtIn this example when the cloudformation is deployed the plugin will find "s3://mybucketname/lower-environments/mysecret.txt" and place its value in the parameters passed to cloudformation, which will be masked due to "NoEcho"