Al usar AWS re:Post, aceptas las AWS re:Post Términos de uso
AWS re:Postre:Post

Lambda Caching Multiple Secret Values

0

Hi, I have a lambda function written in Go. we implemented the secret caching using AWS SDK which works great. We require support for the previous secret value as well, but the AWS SDK documentation only mentions caching 1 single value which is the latest version's value.

I wonder if it is possible to cache up to 3 secret values? Does AWS SDK support this feature? Do we have to implement our own caching, any idea how to do this in Go?

Currently, the lambda cache 1 secret version, when the old version is used, the lambda will request secret version IDs from the secret manager and iterate through it to get the correct secret. The problem with this approach is that we are hitting the 50/second ListSecretVersionIds limit.

Temas
Sin servidorCálculoSeguridad, identidad y cumplimiento
Etiquetas
AWS LambdaAWS Secrets ManagerAlmacenamiento en caché
Idioma
English
dark knight
preguntada hace 4 meses245 visualizaciones
2 Respuestas
0

When you mention cache any secret, does it include ListSecretVersionIds cache?

dark knight
respondido hace 4 meses
  • Gary Mclean EXPERTO
    hace 4 meses

    Curious why would you need a list of secret version ids? Theres only 3 version stages per secret and you can pull each one of them using this method. Secrets Manager doesn't store a linear history of secrets with versions. Instead, it keeps track of three specific versions by labelling them:

    • The current version - AWSCURRENT
    • The previous version - AWSPREVIOUS
    • The pending version (during rotation) - AWSPENDING

    Just call GET: /secretsmanager/get?secretId=secretId&versionStage=AWSCURRENT

  • dark knight
    hace 4 meses

    our client keeps the value for up to some time. and the key rotations on the server are set every few months. we want to cover the possibility of forcing key rotations that might be sooner than the client update on the secret value, so we at least need to support up to 3 versions. AWSCURRENT and AWSPREVIOUS are just not enough and AWSPENDING is out of the question since we do not use the AWS key rotation feature and instead implement our own key rotation on schedule.

  • Gary Mclean EXPERTO
    hace 4 meses

    You can get any verison stage you wish and cache it.. That was just an example

0

If you want to Cache in lambda you should use this layer which doesnt require/use the SDK. It should cache any secret or SSM parameter it retrieves.

https://docs.aws.amazon.com/secretsmanager/latest/userguide/retrieving-secrets_lambda.html

Theres only 3 version stages per secret and you can pull each one of them using this method. Secrets Manager doesn't store a linear history of secrets with versions. Instead, it keeps track of three specific versions by labelling them:

  • The current version - AWSCURRENT
  • The previous version - AWSPREVIOUS
  • The pending version (during rotation) - AWSPENDING

Just call which ever version you require such as GET: /secretsmanager/get?secretId=secretId&versionStage=AWSCURRENT

profile picture
EXPERTO
Gary Mclean
respondido hace 4 meses

No has iniciado sesión. Iniciar sesión para publicar una respuesta.

Una buena respuesta responde claramente a la pregunta, proporciona comentarios constructivos y fomenta el crecimiento profesional en la persona que hace la pregunta.

Pautas para responder preguntas

Contenido relevante