By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Lambda Caching Multiple Secret Values

0

Hi, I have a lambda function written in Go. we implemented the secret caching using AWS SDK which works great. We require support for the previous secret value as well, but the AWS SDK documentation only mentions caching 1 single value which is the latest version's value.

I wonder if it is possible to cache up to 3 secret values? Does AWS SDK support this feature? Do we have to implement our own caching, any idea how to do this in Go?

Currently, the lambda cache 1 secret version, when the old version is used, the lambda will request secret version IDs from the secret manager and iterate through it to get the correct secret. The problem with this approach is that we are hitting the 50/second ListSecretVersionIds limit.

Topics
ServerlessComputeSecurity, Identity, & Compliance
Tags
AWS LambdaAWS Secrets ManagerCaching
Language
English
dark knight
asked 4 months ago223 views
2 Answers
0

When you mention cache any secret, does it include ListSecretVersionIds cache?

dark knight
answered 4 months ago
  • Gary Mclean EXPERT
    4 months ago

    Curious why would you need a list of secret version ids? Theres only 3 version stages per secret and you can pull each one of them using this method. Secrets Manager doesn't store a linear history of secrets with versions. Instead, it keeps track of three specific versions by labelling them:

    • The current version - AWSCURRENT
    • The previous version - AWSPREVIOUS
    • The pending version (during rotation) - AWSPENDING

    Just call GET: /secretsmanager/get?secretId=secretId&versionStage=AWSCURRENT

  • dark knight
    4 months ago

    our client keeps the value for up to some time. and the key rotations on the server are set every few months. we want to cover the possibility of forcing key rotations that might be sooner than the client update on the secret value, so we at least need to support up to 3 versions. AWSCURRENT and AWSPREVIOUS are just not enough and AWSPENDING is out of the question since we do not use the AWS key rotation feature and instead implement our own key rotation on schedule.

  • Gary Mclean EXPERT
    4 months ago

    You can get any verison stage you wish and cache it.. That was just an example

0

If you want to Cache in lambda you should use this layer which doesnt require/use the SDK. It should cache any secret or SSM parameter it retrieves.

https://docs.aws.amazon.com/secretsmanager/latest/userguide/retrieving-secrets_lambda.html

Theres only 3 version stages per secret and you can pull each one of them using this method. Secrets Manager doesn't store a linear history of secrets with versions. Instead, it keeps track of three specific versions by labelling them:

  • The current version - AWSCURRENT
  • The previous version - AWSPREVIOUS
  • The pending version (during rotation) - AWSPENDING

Just call which ever version you require such as GET: /secretsmanager/get?secretId=secretId&versionStage=AWSCURRENT

profile picture
EXPERT
Gary Mclean
answered 4 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content