By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Accessing Secrets Manager in Free Tier

0

Question

VPC endpoint costs about $7/month. I'm mostly using Free Tier services. Is there a way to access PostgreSQL RDS database credentials stored in Secrets Manager from Lambda functions in a VPC for little money using the Free Tier? If not, what's the best practice here?

More Details

I'm learning about serverless application development. I'm creating a simple application using lots of Free Tier services including Postgresql in RDS, Lambda, API Gateway, Cognito, Aurora, CodeCommit, CodeBuild, CodePipeline. Most of my usage fall under the Free Tier. My only costs so far:

  • Domain registration, ~$17/year
  • Zone hosting in Route 53, ~$0.51/month
  • One secret in Secrets Manager, ~$0.40/month
  • VPC endpoint for Lamba to access the secret, ~$7/month

The biggest cost above is the VPC endpoint. $7/month seems like a lot of money to access a database secret. Perhaps I should be happy to get all this great stuff for ~$8/month. However, eventually I'm going to come out of the Free Tier and I'm still going to be paying $7/month to access a database secret, plus all the new costs.

  • GK
    10 days ago

    Can you describe more, What is the actual use case of the VPC endpoint ? Jus to connect RDS DB ?

  • David
    10 days ago

    @GK It's used by my Lambda functions to retrieve the database credentials from the Secrets Manager. It's not used directly in connecting to the RDS instance since the RDS instance is in the same VPC.

Topics
Networking & Content DeliverySecurity, Identity, & ComplianceAWS Free Tier
Tags
Amazon VPCAWS Secrets ManagerVPC Virtual Private GatewayAWS Free Tier
Language
English
David
asked 10 days ago80 views
3 Answers
0
Accepted Answer

I think I found a solution:

  1. Enable IPv6 on my VPC: https://docs.aws.amazon.com/vpc/latest/userguide/vpc-migrate-ipv6.html
  2. Created an egress only internet gateway, and set up routes for IPv6: https://docs.aws.amazon.com/vpc/latest/userguide/egress-only-internet-gateway.html
  3. Enabled IPv6 dual stack for all my lambda functions.
  4. Delete the VPC endpoint.

My Lambda functions now appear to be working without the VPC endpoint. I assume they are now accessing Secrets Manager over IPv6. I think with this setup I'm only paying for the secret, and for the traffic routed through the egress only internet gateway.

David
answered 6 days ago
0

Hi

Okay Lets do in this way to stick with ONLY free tier without paying more to AWS,

  • Create Lambda funtion inside with VPC with public subnet
  • Use paramater store to store the credentials of the RDS - FREE of Charge Standard type

For learning purposes, using Parameter Store in a public subnet can be a good starting point. Just be aware of the security limitations. If you plan to transition to production eventually, consider using a VPC Endpoint with Secrets Manager for better security practices. The cost is minimal, and it provides a more robust solution.

profile picture
GK
answered 10 days ago
0

Hello.

How about changing the subnet associated with Lambda to a public subnet and setting ElasticIP directly on the ENI?
https://aws.amazon.com/vpc/pricing/?nc1=h_ls

An Elastic IP address costs $0.005 per hour, so if you only have one Elastic IP address, it costs $3.60 per month.
Therefore, as introduced in the blog below, if you set ElasticIP directly to Lambda's ENI, it may be slightly cheaper to use than a VPC endpoint.
https://theburningmonk.com/2023/09/static-ip-for-lambda-ingress-egress-and-bypassing-the-dreaded-nat-gateway/

profile picture
EXPERT
Riku_Kobayashi
answered 10 days ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content