stackoom
  简体   繁体   中英

What is the best way to securely provide AWS RDS credentials to AWS Lambda functions?

 原文  2020-06-25 22:13:08       mysql/ database/ amazon-web-services/ aws-lambda/ amazon-rds

Question

I am creating a CI/CD pipeline using AWS codepipeline to deploy several lambda functions. Currently I am manually uploading.zip files for the lambdas functions which include a configuration.json file that has credentials to access the RDS database.

I have already created a SAM template to deploy the lambda functions via codepipeline, however, I am unable to think of a solution to provide RDS database credentials to the lambda functions since commiting the configuration.json file in the code repository is not an option.

AWS secrets manager is NOT an option for me as it would be very costly due to millions of API calls hitting the lambda functions.

1 answers

solution1
 2  2020-06-25 23:20:37

You could use one of the suggestion given by AWS on some of the blueprints. This example I take from slack echo notification, and use it in some of my lambda function. To encrypt your secrets use the following steps:

  1. Create or use an existing KMS Key - http://docs.aws.amazon.com/kms/latest/developerguide/create-keys.html

  2. Click the "Enable Encryption Helpers" checkbox

  3. Paste <COMMAND_TOKEN> into the kmsEncryptedToken environment variable and click encrypt

Follow these steps to complete the configuration of your command API endpoint

  1. When completing the blueprint configuration select "Open" for security on the "Configure triggers" page.

  2. Enter a name for your execution role in the "Role name" field. Your function's execution role needs kms:Decrypt permissions. We have pre-selected the "KMS decryption permissions" policy template that will automatically add these permissions.

Let me show a simple lambda function write in python:

Check out this example registration screenshot

import boto3
import json
import logging
import os

from base64 import b64decode
from urlparse import parse_qs


ENCRYPTED_EXPECTED_TOKEN = os.environ['kmsEncryptedToken']

kms = boto3.client('kms')
expected_token = kms.decrypt(CiphertextBlob=b64decode(ENCRYPTED_EXPECTED_TOKEN))['Plaintext']

logger = logging.getLogger()
logger.setLevel(logging.INFO)

Hope this helps

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question What is the best way to automate replication of RDS (MySQL) schema to AWS Redshift? Connection Pooling in AWS Lambda with RDS? Conecting Lambda function to RDS on AWS AWS Lambda - Access Public AWS RDS MySQL AWS RDS Connection Best Practice Does AWS provide support for RDS MySQL? AWS Lambda RDS MySQL DB Connection InterfaceError AWS RDS reducing connection time from Lambda AWS Lambda RDS too many connections Intermittent timeouts between AWS Lambda and RDS
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM