Reputation: 773
What is the best way to securely provide AWS RDS credentials to AWS Lambda functions?
I am creating a CI/CD pipeline using AWS codepipeline to deploy several lambda functions. Currently I am manually uploading .zip files for the lambdas functions which include a configuration.json file that has credentials to access the RDS database.
I have already created a SAM template to deploy the lambda functions via codepipeline, however, I am unable to think of a solution to provide RDS database credentials to the lambda functions since commiting the configuration.json file in the code repository is not an option.
AWS secrets manager is NOT an option for me as it would be very costly due to millions of API calls hitting the lambda functions.
Upvotes: 0
Views: 458
Answers (1)
Reputation: 170
You could use one of the suggestion given by AWS on some of the blueprints. This example I take from slack echo notification, and use it in some of my lambda function. To encrypt your secrets use the following steps:
Create or use an existing KMS Key - http://docs.aws.amazon.com/kms/latest/developerguide/create-keys.html
Click the "Enable Encryption Helpers" checkbox
Paste <COMMAND_TOKEN> into the kmsEncryptedToken environment variable and click encrypt
Follow these steps to complete the configuration of your command API endpoint
When completing the blueprint configuration select "Open" for security on the "Configure triggers" page.
Enter a name for your execution role in the "Role name" field. Your function's execution role needs kms:Decrypt permissions. We have pre-selected the "KMS decryption permissions" policy template that will automatically add these permissions.
Let me show a simple lambda function write in python:
Check out this example registration screenshot
import boto3
import json
import logging
import os
from base64 import b64decode
from urlparse import parse_qs
ENCRYPTED_EXPECTED_TOKEN = os.environ['kmsEncryptedToken']
kms = boto3.client('kms')
expected_token = kms.decrypt(CiphertextBlob=b64decode(ENCRYPTED_EXPECTED_TOKEN))['Plaintext']
logger = logging.getLogger()
logger.setLevel(logging.INFO)
Hope this helps
Upvotes: 2
Related Questions
- Storing MySQL credentials in SAM/Lambda
- Allow AWS Lambda to access RDS Database
- Access AWS RDS MySQL database from a Lambda Function without a proxy
- Inject RDS secrets to Python in Lambda
- Connecting AWS Lambda and RDS in different AWS Accounts
- Conecting Lambda function to RDS on AWS
- Securing AWS RDS credentials for Lambda
- Query AWS RDS from Lambda Securely
- How should I pass secrets (RDS password) into my Lambda function created by CloudFormation/SAM?
- What is the Best way to Expose Data from an AWS RDS Mysql DB?