By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

What is the best way to retrieve secret from AWS PS from within a AWS LambdaFunction?

0

The lambda function will only be triggered once every hour. The lambda function is a Spring microservice to check if data is stale from a downstream service and will act accordingly. This service (this endpoint) requires a key to access the downstream service.

I read so many different ways in the documentation that I got lost. For instance with or without SDK. (I guess better without so no code change are required?) With or without cache. (no need as calling only once an hour doesn't necessitate a cache?) With or without using an additional layer or using an extension. ( this part I do not know what to consider to come up with informed decision). Are there any other things I should take into consideration?

The documentation explains how I can do it but I am not sure which solution would be best and what I should consider to make a good informed decision. Any help would be very much appreciated.

Topics
ServerlessComputeDevOpsMicroservicesManagement & Governance
Tags
AWS LambdaDevOpsMicroservicesParameter Store
Language
English
Liliane
asked 6 months ago216 views
2 Answers
1
Accepted Answer

Hi,

AWS Lambda extension is relatively a newer but better option in case you have to fetch parameters/secrets from the Parameter Store.
Especially because it reduces the no. of API calls made to the Parameter Store, hence reducing latency and cost.

In your case, it does not make any difference in terms of cost, since you have just 1 parameter which is fetched 24 times a day.
However, having a separate layer for handling parameters allows you to separate the logic of fetching parameters and other operational tasks from your core business logic, hence introducing separation of concern, and making your code cleaner.

Now, it's up to you, if you want a simpler approach with full control over how you fetch and process parameters, and you are okay with making a few changes to your existing code, then use SDK.
Or else, if you want a streamlined approach without modifying your function code significantly, then use Lambda extensions.
Hope this helps you make an informed decision.

References:
[1] https://docs.aws.amazon.com/systems-manager/latest/userguide/ps-integration-lambda-extensions.html
[2] https://aws.amazon.com/blogs/compute/using-the-aws-parameter-and-secrets-lambda-extension-to-cache-parameters-and-secrets/
[3] https://aws.amazon.com/blogs/compute/caching-data-and-configuration-settings-with-aws-lambda-extensions/

Thanks,
Atul

profile picture
IBAtulAnand
answered 6 months ago
profile picture
EXPERT
Gary Mclean
reviewed a month ago
0

Hi Liliane

Since you mention Spring, I guess that you develop in Java.

So, my (opinionated) perspective on your questions:

  • if your Lambda runs only once an hour, Lambda (and other) caches are useless: you'd better fetch directly from AWS SSM Parameter Store. A cache would only bring the risk of incorrect value for no benefit... Access to SSM PS are quite fast: time them in your code to validate.
  • the Lambda Java runtime provides direct access to the AWS SDK: you want to use it. Not using the SDK would mean coding the REST requests against the AWS service endpoints (with SigV4...), which is lots of (complex) work.
  • Additionally, if you use the SDK provided by the Lambda runtime, AWS will update it (bgs, vulnerabilities, etc.) for you at no effort on your side

Including SDK yourself would lock it to a given version, which is not what you necessarily want to do when you start: AWS is happy to do the patching for you.

I hope that I properly understood your questions to be then so direct...

Best,

Didier

profile pictureAWS
EXPERT
Didier_Durand
answered 6 months ago
  • Liliane
    6 months ago

    I do agree with using the extension is a bit of an overkill. However, as we have to set a standard for future cases it is better to separate the retrieval of the secrets by using the extension instead of changing code within the Lambda function. I do thank you for your response as it helped me to make an informed decision. Appreciated.

  • Didier_Durand EXPERT
    6 months ago

    Liliane, you're welcome. My recommendation: don't over engineer at first by designing for cases that may eventually never happen. So, go simple first and sophisticate as really needed. A Lamdba can very easily updated at any point in time (compared to older monoliths(: you'll implement better code when you get more experience on your use case.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content