Serverless plugin that decrypts environment variables before deployment
Last updated 3 years ago by lithin .
MIT · Repository · Bugs · Original npm · Tarball · package.json
$ cnpm install @connected-home/serverless-plugin-kms 
SYNC missed versions from official npm registry.


This serverless plugin is used when you need to store your sensitive environment variables in your codebase.

Why this approach

We prefer saving all config into repos so that we never have to handle git-ignored .env files that live on someone's machine. Checking sensitive data (such as API keys and OAuth tokens) into github is obviously not safe; that's why we encrypt everything first. Then we just add it to config a check it into upstream repo so that the data is never lost.

Big shout-out to beavis07 for this solution.

How to use it

First, encrypt a variable with your us-east-1 KMS key. Then add the value to your serverless environment; the plugin does the rest.

You can define both encrypted and normal values, just make sure an encrypted value is an object with encrypted: true:

    "encrypted": "true",
    "value": "encrypted-value"
  "NORMAL_VARIABLE": "old-fashioned-value"

The plugin will translate this before deployment to:

  ENCRYPTED_TOKEN: "decrypted-value",
  NORMAL_VARIABLE: "old-fashioned-value"


  • try it out with yaml defined environment variables
  • allow specifying KMS key and its region
  • add CLI tool to encrypt and decrypt keys on the fly
  • KMS key rotation

Current Tags

  • 1.0.2                                ...           latest (3 years ago)

3 Versions

  • 1.0.2                                ...           3 years ago
  • 1.0.1                                ...           3 years ago
  • 1.0.0                                ...           3 years ago
Today 0
This Week 0
This Month 1
Last Day 0
Last Week 0
Last Month 2
Dependencies (1)
Dev Dependencies (0)
Dependents (0)

Copyright 2014 - 2016 © taobao.org |