Contact
LoginGet started

Serverless

Lambda Functions That Call APIs Without Storing Secrets

Environment variables are not a secret store. RequestRocket vaults your third-party API credentials and gives each Lambda function a scoped, authenticated proxy endpoint — the function authenticates to RequestRocket with its own short-lived credential, and RequestRocket handles upstream authentication transparently. Secrets never enter your functions, your logs, or your blast radius.

Cloud Native / SaaS
Backend Engineering Team
0
Secrets in Lambda Environment
< 2 min
Credential Rotation Time
100%
Third-Party Calls Logged

The Challenge

Lambda Functions Are Not Designed to Be Secret Stores

A SaaS backend used dozens of AWS Lambda functions to integrate with Stripe, SendGrid, Twilio, Salesforce, and other third-party APIs. Each function stored its credential in an environment variable. Secrets were duplicated across functions, rotations required redeployments, and CloudWatch logs occasionally captured key values in error traces.

Secrets Duplicated Across Functions

The Stripe API key was set as an environment variable in 8 separate Lambda functions. Rotating it required updating all 8 deployments — and forgetting even one may have caused production failures.

Keys Visible in CloudWatch Traces

Unhandled exceptions occasionally logged the full event payload or environment snapshot, exposing API keys in CloudWatch Logs accessible to anyone with read access to the log group.

No Call-Level Visibility

When a third-party API call failed, the only information available was what the Lambda function itself logged. There was no independent record of what was sent, what was received, or what the upstream response looked like.

Rotation Requires Redeployment

Every credential rotation was a multi-step deployment operation — update the Lambda environment variable, and redeploy each affected function. Zero-downtime was not always achievable.

The Solution

Translate Upstream Authentication Into Scoped Lambda Credentials

The team created a RequestRocket proxy for each third-party API and stored the real upstream API keys as encrypted RequestRocket credentials. Each Lambda function was issued its own scoped RequestRocket credential — the function authenticates to RequestRocket using that key, and RequestRocket handles upstream authentication transparently. No function ever holds an upstream credential. Rotating an upstream key now requires one change in RequestRocket with zero function redeployments.

How it works

  1. 1

    Create a RequestRocket target and proxy for each third-party API: Stripe, SendGrid, Twilio, Salesforce. Store the upstream API key as a RequestRocket credential encrypted in the vault.

  2. 2

    Issue one RequestRocket credential per Lambda function (or per function group) with authorization rules scoped to only the paths and methods that function needs to call.

  3. 3

    Update each Lambda function's environment variable from the upstream credential to the RequestRocket proxy base URL and RequestRocket credential.

  4. 4

    Remove the upstream credential from all Lambda environment variables, IAM policies, and Secrets Manager entries. The upstream credential is now stored only in RequestRocket.

  5. 5

    Monitor all Lambda-to-third-party API calls through the RequestRocket observability dashboard, including request/response metadata and any error details from the upstream.

The Results

Measurable Impact

0 Secrets Remaining

All upstream credentials removed from Lambda environment

No third-party credential is stored in any Lambda environment variable, SAM template, or CloudFormation stack. All upstream credentials live in RequestRocket's encrypted vault.

< 2 min Rotation

Credential rotation without redeployment

Rotating a Stripe or Twilio key now means updating one credential in RequestRocket. The change propagates immediately to every Lambda function that calls that proxy — no redeployments, no downtime.

100% Visibility

Full request/response log for every third-party call

Every Lambda-initiated API call is captured in RequestRocket's observability log with the function credential identity, endpoint, status, and latency — independent of CloudWatch and available for incident investigation.

Least Privilege

Per-function access control enforced

Each Lambda function's RequestRocket credential is scoped to only the proxy paths it legitimately calls. A function handling payment webhooks cannot use its key to call the Salesforce proxy.

FAQ

Frequently Asked Questions

Keep Reading

Related Case Studies

Artificial Intelligence

AI Agent Authentication

How an ML platform team eliminated credential exposure in AI agents by routing all downstream API calls through RequestRocket's credential vault.

0Long-lived Credentials Stored
< 5 minTime to Secure a New API
100%Requests Centrally Logged
Enterprise

Zero Trust API Access

How an enterprise security team implemented zero-trust principles for all third-party API integrations by centralising access through RequestRocket.

ZeroImplicit Trust Granted
Every CallAuthenticated and Verified
FullAudit Trail
SaaS

Multi-Tenant API Isolation

How a SaaS platform enforced complete per-tenant API isolation with individual rate limits and access rules using RequestRocket proxies and credentials.

100%Tenant Isolation Enforced
Per-TenantRate Limits and Rules
Real-TimePolicy Enforcement

Relevant RequestRocket Features

Authentication
Authorization
Observability
Enhance ISO 27001
Enhance SOC 2
Enhance GDPR
Enhance HIPAA

Add outbound API security
without changing code

Start on your own or talk to our team about improving the security of every API call you make.

Start for Free Book a Demo