How can I configure my Lambda function to connect to an Amazon RDS database using Amazon RDS Proxy?

4 minute read
0

I want to configure my AWS Lambda function to connect to an Amazon Relational Database Service (Amazon RDS) database using Amazon RDS Proxy.

Short description

You can create an Amazon RDS Proxy database for your Lambda function. A database proxy manages a pool of database connections and relays queries from a function. This lets a function reach high concurrency levels without exhausting database connections.

For more information, see Configuring database access for a Lambda function.

Resolution

Follow these instructions to configure Amazon RDS Proxy with a Lambda function.

Note: Amazon RDS Proxy must be in the same Amazon Virtual Private Cloud (Amazon VPC) as the Amazon RDS database. Configure the Lambda function with Amazon VPC to access the Amazon RDS Proxy.

Step 1: Create database credentials in AWS Secrets Manager

1.    Open the Secrets Manager console, and then choose Store a new secret.

2.    For Secret type, choose Credentials for RDS Database.

3.    Enter the user name and password for your Amazon RDS database instance.

4.    For Encryption key, choose the AWS Key Management Service (AWS KMS) key that Secrets Manager uses to encrypt the secret value**.**

5.    For Database, choose your database, and then choose Next.

6.    For Secret name, enter a name, choose Next, choose Next again, and then choose Store.

7.    In Secrets, choose the Secrets Manager secret that you created.

8.    In Secret ARN, copy the ARN to use in another step.

For more information, see Create an AWS Secrets Manager database secret.

Step 2: Create an AWS Identity and Access Management (IAM) policy and role for Amazon RDS Proxy

Create an IAM role with permission to use the secret, and then create a trust policy that allows Amazon RDS to assume the role.

Example IAM Secrets Manager policy

Note: Replace Secret_ARN with the Secrets Manager ARN that you previously copied**.**

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "VisualEditor0",
      "Effect": "Allow",
      "Action": [
        "secretsmanager:GetResourcePolicy",
        "secretsmanager:GetSecretValue",
        "secretsmanager:DescribeSecret",
        "secretsmanager:ListSecretVersionIds"
      ],
      "Resource": [
        "[Secret_ARN]"
      ]
    },
    {
      "Sid": "VisualEditor1",
      "Effect": "Allow",
      "Action": [
        "secretsmanager:GetRandomPassword",
        "secretsmanager:ListSecrets"
      ],
      "Resource": "*"
    }
  ]
}

Example IAM RDS trust policy

{
 "Version": "2012-10-17",
 "Statement": [
  {
   "Sid": "",
   "Effect": "Allow",
   "Principal": {
    "Service": "rds.amazonaws.com"
   },
   "Action": "sts:AssumeRole"
  }
 ]
}

Step 3: Create and attach an RDS proxy to a Lambda function

1.    Open the Functions page in the Lambda console.

2.    In Functions, choose your Lambda function.

3.    Choose Configuration, and then choose Add database proxies.

4.    Enter the following variables:
Proxy identifier: The name of the proxy.
RDS DB instance:  A supported MySQL or PostgreSQL DB instance or cluster.
Secret: The Secrets Manager that you created.
IAM role: The IAM role that you created.
Authentication: Choose Password to connect with database credentials or choose Execution role to use the function's IAM credentials for authentication.

5.    Choose Add.

The proxy creation takes a few minutes to complete. When the proxy is available, configure your function to connect to the proxy endpoint instead of the database endpoint. For more information, see Creating a database proxy (console).

Step 4: (Optional) Confirm that your Amazon RDS Proxy is using IAM authentication

The following steps are required only if you're using the Lambda execution role to authenticate to Amazon RDS Proxy.

1.    Open the Amazon RDS console.

2.    In the navigation pane, choose Proxies, and then choose your proxy.

3.    Choose Actions, and then choose Modify.

4.    In Connectivity module, make sure that IAM Authentication is set to Required.

Note: If you experience connection issues, then see Why can't I connect to my Amazon RDS DB or Amazon Aurora DB instance using RDS Proxy? For more information, see Using Amazon RDS Proxy with AWS Lambda.


Related information

How do I troubleshoot connection timeout errors from Lambda when trying to access an Amazon RDS DB instance?

How do I configure a Lambda function to connect to an RDS instance?

How do I resolve the "Lambda could not update the function's execution role" error when attaching Amazon RDS Proxy to a Lambda function?

AWS OFFICIAL
AWS OFFICIALUpdated 2 years ago
3 Comments

Can you please how to connect the lambda function with RDS function using CloudFormation Template?

replied 8 months ago

Thank you for your comment. We'll review and update the Knowledge Center article as needed.

profile pictureAWS
MODERATOR
replied 8 months ago

Comment about "Step 3: Create and attach an RDS proxy to a Lambda function" 3. step: "Choose Configuration, and then choose Add database proxies." There is no such menu in the lambda console at the time of this writing.

profile picture
replied a month ago