Set Non-secret Vars in AWS Serverless (SAM)

Here's how to set non-secret variables in sam config for local dev.

Serverless Application Model

AWS has a tool called Serverless Application Model, or SAM, that allows you to run commands for your application. For instance, I can invoke my Lambda or run it behind a local API Gateway.

Invoke a Function

You can invoke an AWS Lambda function locally, running it once, with the command:

aws local invoke MyFunctionName

Start as API

You can start a local API gateway that fronts your function, allowing you to address it with HTTP requests, with this command:

aws local start-api

Access Environment Variables

Once you have invoked or started your application, you will want to access an environment-specific variable. Depending on your programming language, that will happen differently. For JavaScript, for instance:


But how does it get there?

SAM Template

Your template.yaml will contain the value of MY_NONSECRET_THING. That will pass it into the runtime of your program.

TODO: fill in that syntax

SAM Config

Your samconfig.yaml will allow you to define a per-environment value for your variable. This happens in samconfig.yaml, not template.yaml.

In samconfig.yaml, you need a section for your non-secret variable when used in sam local invoke:

parameter_overrides = [

And then duplicated in a separate section for sam local start-api:

parameter_overrides = [

And just for completeness: Here's what you need for your deployed environments, such as production, here:

parameter_overrides = [

What about secrets?

Now, it's important that only your non-secret variables go into the samconfig.yaml. You don't want to commit your unencrypted secrets to source control.

But where will the secret variables go? It depends. Maybe in Vault or AWS Secrets Manager.