> ## Documentation Index
> Fetch the complete documentation index at: https://infisical-devin-1781641701-docs-github-pat-fine-grained.mintlify.site/llms.txt
> Use this file to discover all available pages before exploring further.

# AWS Lambda

> How to use Infisical secrets in AWS Lambda

Learn how to sync Infisical secrets to AWS Lambda regardless of how you deploy your function. This guide covers the following strategies:

* Infisical SDKs
* AWS Secrets Manager integration
* AWS Systems Manager Parameter Store integration
* AWS CLI

## Choose your sync strategy

### 1. Fetch secrets at runtime with Infisical SDKs

If you control the Lambda code, the simplest method is to fetch secrets directly from Infisical using one of our SDKs.\
You can read more about the Infisical SDKs [here](/sdks/overview).

### 2. Push via secret sync

Configure a secret sync from your Infisical project, and Infisical will keep your Secrets Manager or Parameter Store values up to date. Your Lambda function can then reference those secrets directly.\
Learn more about the [AWS Secrets Manager integration](/integrations/secret-syncs/aws-secrets-manager) and the [AWS Parameter Store integration](/integrations/secret-syncs/aws-parameter-store).

### 3. Push environment variables directly using the AWS CLI

For straightforward workflows or quick rotations, you can push Infisical secrets directly into Lambda environment variables using the AWS CLI.

## Prerequisites

* AWS CLI v2 installed and authenticated
* `jq` installed locally
* An IAM principal with `lambda:UpdateFunctionConfiguration`
* Infisical CLI (`infisical`) configured

### IAM permissions

Attach a policy like the one below to the IAM user or role responsible for updating Lambda configuration:

```json theme={null}
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "LambdaConfig",
      "Effect": "Allow",
      "Action": ["lambda:UpdateFunctionConfiguration"],
      "Resource": "*"
    }
  ]
}
```

<Note>
  {" "}

  Replacing Lambda environment variables using the AWS CLI overwrites the entire
  `Variables` object. Make sure to export your current values so you can import them
  into Infisical.{" "}
</Note>

#### Push secrets to Lambda

Use the Infisical CLI to export secrets as JSON and pass them to the AWS CLI.
The example below targets a project by ID, but you can also use the `--project` and `--env` flags.
Learn more about `infisical export` [here](/cli/commands/export#infisical-export).

```bash theme={null}
FUNCTION_NAME=infisical-env-test
REGION=us-east-1
PROJECT_ID=1234567890

aws lambda update-function-configuration \
  --function-name "$FUNCTION_NAME" \
  --region "$REGION" \
  --environment "$(
    infisical export \
      --format=json \
      --projectId="$PROJECT_ID" \
    | jq 'map({(.key): .value}) | add | {Variables: .}'
  )"
```

On success, the updated `Environment.Variables` block will be returned.
Verify the values in the Lambda console or by invoking the function.

<Tip>
  Automate this step in CI/CD. Run `infisical export` using an Infisical Token
  scoped to your project and environment, and trigger the sync as part of your
  deployment workflow. Learn more about the [Infisical
  Token](/cli/commands/export#infisical-export:infisical-token).
</Tip>

<Note>
  We recommend using automatic secret syncs to AWS Secrets Manager or AWS
  Parameter Store to keep your secrets continuously in sync and avoid manually
  updating the Lambda configuration.
</Note>