Suggest a good workflow for securely setting claudia.js/aws lambda environment variables during deployment

The current setup is:

  • our backend API is deployed as an AWS lambda, configured/managed by claudia.js
  • dev env vars stored in dev.json and prod env vars in prod.json, committed to repo
  • pushes to dev/master branches trigger circle.ci build and deploy workflow
  • claudia update --version dev --update-env-from-json env/dev.json is called, setting env vars and doing the deployment to AWS

This works ok for now but I’m not that happy with it since secret keys and so on are being stored in dev.json and committed to the repo (insecure).

I’d rather that the env vars are stored in circle.ci and then injected to claudia deployment during the build and deploy workflow. How can this be best achieved?

Another option could be bypassing claudia and using circle.ci to update the lambda env vars straight into AWS