Skip to main content
In this tutorial, you’ll learn how to update AWS Lambda environment variables using the AWS CLI and automate the process in a Jenkins CI/CD pipeline. We’ll cover:
  • Updating Lambda configuration with aws lambda update-function-configuration
  • Integrating environment updates and code deployment in Jenkins
  • Handling OWASP Dependency Check failures
  • Verifying updates in the AWS Lambda console

Updating Lambda Configuration with AWS CLI

The AWS CLI’s update-function-configuration command lets you modify Lambda settings, including environment variables. For full details, see the AWS CLI Command Reference.
The image shows a webpage from the AWS CLI Command Reference, specifically detailing the "update-function-configuration" command for AWS Lambda. It includes sections like description, synopsis, options, and examples.

Key Parameters

ParameterDescriptionExample
--function-nameName or ARN of the Lambda functionmy-function
--environmentJSON or shorthand for environment variablesVariables={KEY1=val1,KEY2=val2}

Environment Syntax

SyntaxFormat
Shorthand--environment Variables={Key1=val1,Key2=val2}
JSON--environment '{"Variables":{"Key1":"val1","Key2":"val2"}}' or via file://env.json
When using inline JSON on the command line, wrap the JSON in single quotes to avoid shell parsing errors.

Example: Update and Confirm

# Update environment variables
aws lambda update-function-configuration \
  --function-name my-function \
  --environment "Variables={BUCKET=amzn-s3-demo-bucket,KEY=file.txt}"

# Confirm the update
aws lambda get-function-configuration \
  --function-name my-function

Integrating with Jenkins

We’ll extend the Jenkinsfile to:
  1. Zip application code
  2. Upload the ZIP to S3
  3. Update Lambda environment variables
  4. Deploy new code to Lambda
Below is a sample pipeline and a breakdown of each stage.

Sample Jenkinsfile

pipeline {
  agent any

  environment {
    MONGO_URI          = "mongodb+srv://supercluster.d83jj.mongodb.net/superData"
    MONGO_DB_CREDS     = credentials('mongo-db-credentials')
    MONGO_USERNAME     = credentials('mongo-db-username')
    MONGO_PASSWORD     = credentials('mongo-db-password')
    SONAR_SCANNER_HOME = tool 'sonarqube-scanner-610'
    GITEA_TOKEN        = credentials('gitea-api-token')
  }

  stages {
    stage('Installing Dependencies') { steps { /* ... */ } }
    stage('Dependency Scanning')     { steps { /* ... */ } }
    stage('Unit Testing')            { steps { /* ... */ } }
    stage('Code Coverage')           { steps { /* ... */ } }
    stage('Deploy to AWS Lambda') {
      steps {
        // 1. Zip application code
        sh '''
          zip -qr solar-system-lambda-${BUILD_ID}.zip app* package* index.html node*
          ls -ltr solar-system-lambda-${BUILD_ID}.zip
        '''

        // 2. Upload ZIP to S3
        s3Upload(
          file: "solar-system-lambda-${BUILD_ID}.zip",
          bucket: 'solar-system-lambda-bucket'
        )

        // 3. Update Lambda configuration
        aws lambda update-function-configuration \
          --function-name solar-system-function \
          --environment '{"Variables":{"MONGO_USERNAME":"${MONGO_USERNAME}","MONGO_PASSWORD":"${MONGO_PASSWORD}","MONGO_URI":"${MONGO_URI}"}}'

        // 4. Deploy new code
        aws lambda update-function-code \
          --function-name solar-system-function \
          --s3-bucket solar-system-lambda-bucket \
          --s3-key solar-system-lambda-${BUILD_ID}.zip
      }
    }
  }
}

Pipeline Stages Overview

StagePurpose
Installing DependenciesInstall project dependencies (e.g., NPM, Maven)
Dependency ScanningRun npm audit and OWASP Dependency Check
Unit TestingExecute unit tests
Code CoverageGenerate coverage reports
Deploy to AWS LambdaZip code, upload to S3, update configuration and code

Handling OWASP Dependency Check Failures

If the OWASP scan reports critical vulnerabilities, you can configure the publisher to continue the build: 
stage('Dependency Scanning') {
  parallel {
    stage('NPM Dependency Audit') {
      steps {
        // npm audit steps
      }
    }
    stage('OWASP Dependency Check') {
      steps {
        dependencyCheck additionalArguments: '''
          --scan './'
          --out './'
          --format 'ALL'
          --disableYarnAudit
          --prettyPrint
        ''', odcInstallation: 'OWASP-DepCheck-10'
        dependencyCheckPublisher failedTotalCritical: 1, pattern: 'dependency-check-report.xml', stopBuild: false
      }
    }
  }
}
Setting stopBuild: false allows the pipeline to proceed despite critical vulnerabilities. Be sure to review the detailed report and address issues in your next sprint.
Pipeline logs will show any OWASP failures and continue execution.
The image shows a Jenkins pipeline interface for a project named "solar-system," highlighting a failed step in the "Dependency Scanning" stage due to an OWASP Dependency Check error.
The image shows a dependency check report from Jenkins, listing various software dependencies, their vulnerability IDs, severity levels, and other related details. The report highlights a critical vulnerability in the "y18n" package.

Verifying on AWS Lambda Console

Once the pipeline succeeds, open the AWS Lambda console and navigate to the Configuration tab to confirm the new environment variables:
The image shows an AWS Lambda console with the "Configuration" tab open, displaying environment variables for a function, including keys and values for MongoDB connection details.

Testing the Application

Invoke your function’s endpoint or run a test to ensure it’s using the updated variables and code: 
{
  "status": "live"
}
If you receive a 200 OK response with {"status":"live"}, your Lambda update was successful.

Watch Video