How can I configure my Lambda function to connect to an Amazon RDS database using Amazon RDS Proxy?

4 minute read

I want to configure my AWS Lambda function to connect to an Amazon Relational Database Service (Amazon RDS) database using Amazon RDS Proxy.

Short description

You can create an Amazon RDS Proxy database for your Lambda function. A database proxy manages a pool of database connections and relays queries from a function. This lets a function reach high concurrency levels without exhausting database connections.

For more information, see Configuring database access for a Lambda function.

Resolution

Follow these instructions to configure Amazon RDS Proxy with a Lambda function.

Note: Amazon RDS Proxy must be in the same Amazon Virtual Private Cloud (Amazon VPC) as the Amazon RDS database. Configure the Lambda function with Amazon VPC to access the Amazon RDS Proxy.

Step 1: Create database credentials in AWS Secrets Manager

1. Open the Secrets Manager console, and then choose Store a new secret.

2. For Secret type, choose Credentials for RDS Database.

3. Enter the user name and password for your Amazon RDS database instance.

4. For Encryption key, choose the AWS Key Management Service (AWS KMS) key that Secrets Manager uses to encrypt the secret value**.**

5. For Database, choose your database, and then choose Next.

6. For Secret name, enter a name, choose Next, choose Next again, and then choose Store.

7. In Secrets, choose the Secrets Manager secret that you created.

8. In Secret ARN, copy the ARN to use in another step.

For more information, see Create an AWS Secrets Manager database secret.

Step 2: Create an AWS Identity and Access Management (IAM) policy and role for Amazon RDS Proxy

Create an IAM role with permission to use the secret, and then create a trust policy that allows Amazon RDS to assume the role.

Example IAM Secrets Manager policy

Note: Replace Secret_ARN with the Secrets Manager ARN that you previously copied**.**

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "VisualEditor0",
      "Effect": "Allow",
      "Action": [
        "secretsmanager:GetResourcePolicy",
        "secretsmanager:GetSecretValue",
        "secretsmanager:DescribeSecret",
        "secretsmanager:ListSecretVersionIds"
      ],
      "Resource": [
        "[Secret_ARN]"
      ]
    },
    {
      "Sid": "VisualEditor1",
      "Effect": "Allow",
      "Action": [
        "secretsmanager:GetRandomPassword",
        "secretsmanager:ListSecrets"
      ],
      "Resource": "*"
    }
  ]
}

Example IAM RDS trust policy

{
 "Version": "2012-10-17",
 "Statement": [
  {
   "Sid": "",
   "Effect": "Allow",
   "Principal": {
    "Service": "rds.amazonaws.com"
   },
   "Action": "sts:AssumeRole"
  }
 ]
}

Step 3: Create and attach an RDS proxy to a Lambda function

1. Open the Functions page in the Lambda console.

2. In Functions, choose your Lambda function.

3. Choose Configuration, and then choose Add database proxies.

4. Enter the following variables:
Proxy identifier: The name of the proxy.
RDS DB instance: A supported MySQL or PostgreSQL DB instance or cluster.
Secret: The Secrets Manager that you created.
IAM role: The IAM role that you created.
Authentication: Choose Password to connect with database credentials or choose Execution role to use the function's IAM credentials for authentication.

5. Choose Add.

The proxy creation takes a few minutes to complete. When the proxy is available, configure your function to connect to the proxy endpoint instead of the database endpoint. For more information, see Creating a database proxy (console).

Step 4: (Optional) Confirm that your Amazon RDS Proxy is using IAM authentication

The following steps are required only if you're using the Lambda execution role to authenticate to Amazon RDS Proxy.

1. Open the Amazon RDS console.

2. In the navigation pane, choose Proxies, and then choose your proxy.

3. Choose Actions, and then choose Modify.

4. In Connectivity module, make sure that IAM Authentication is set to Required.

Note: If you experience connection issues, then see Why can't I connect to my Amazon RDS DB or Amazon Aurora DB instance using RDS Proxy? For more information, see Using Amazon RDS Proxy with AWS Lambda.

Related information

How do I troubleshoot connection timeout errors from Lambda when trying to access an Amazon RDS DB instance?

How do I configure a Lambda function to connect to an RDS instance?

How do I resolve the "Lambda could not update the function's execution role" error when attaching Amazon RDS Proxy to a Lambda function?

Topics

Serverless Compute

Relevant content

Troubleshooting SSL Configuration for AWS Lambda to Amazon RDS PostgreSQL Connection
rePost-User-1506060
asked 8 months ago
Can't connect lambda to RDS Proxy
devRePost
asked a month ago
Can't connect to database via RDS proxy
Accepted Answer
superspaces
asked a year ago
Handler error when connecting lambda function to RDS database
AWS-User-0616660
asked 2 years ago
How to connect lambda function with RDS Databases with CFT
HingeAjit
asked 2 months ago
Why can't I connect to my Amazon RDS DB or Amazon Aurora DB instance using RDS Proxy?
AWS OFFICIALUpdated a year ago
How do I use Amazon RDS Proxy to connect to my Amazon RDS for MySQL DB instance or Aurora MySQL-Compatible DB cluster?
AWS OFFICIALUpdated 8 months ago
How do I configure a Lambda function to connect to an RDS instance?
AWS OFFICIALUpdated a year ago
How can I use an SSL connection to connect to my Amazon RDS for Oracle DB instance?
AWS OFFICIALUpdated 2 months ago
Amazon RDS now supports AWS Graviton3-based M7g and R7g database instances
EXPERT
Markus Adhiwiyogo
published a year ago