What is the best way to securely provide AWS RDS credentials to AWS Lambda functions?

0
votes

I am creating a CI/CD pipeline using AWS codepipeline to deploy several lambda functions. Currently I am manually uploading .zip files for the lambdas functions which include a configuration.json file that has credentials to access the RDS database.

I have already created a SAM template to deploy the lambda functions via codepipeline, however, I am unable to think of a solution to provide RDS database credentials to the lambda functions since commiting the configuration.json file in the code repository is not an option.

AWS secrets manager is NOT an option for me as it would be very costly due to millions of API calls hitting the lambda functions.

1
mysqldatabaseamazon-web-servicesaws-lambdaamazon-rds
Parameter Store with KMSNghia Do
Secrets Manager has an additional advantage over Parameter Store which is that it provides credentials rotation features that are compatible with MySQL RDS.jarmod
IAM database authentication?Shadow
1) You don't call Secrets Manager for every request, you only call it when you need to establish a connection (and if you're making new connections for every request, you'll quickly find that you have worse problems).kdgregory
2) 1,000,000 calls to secrets manager cost $5. If that's truly a financial concern, then you're probably in for a rude awakening with AWS.kdgregory

1 Answers

2
votes

You could use one of the suggestion given by AWS on some of the blueprints. This example I take from slack echo notification, and use it in some of my lambda function. To encrypt your secrets use the following steps:

  1. Create or use an existing KMS Key - http://docs.aws.amazon.com/kms/latest/developerguide/create-keys.html

  2. Click the "Enable Encryption Helpers" checkbox

  3. Paste <COMMAND_TOKEN> into the kmsEncryptedToken environment variable and click encrypt

Follow these steps to complete the configuration of your command API endpoint

  1. When completing the blueprint configuration select "Open" for security on the "Configure triggers" page.

  2. Enter a name for your execution role in the "Role name" field. Your function's execution role needs kms:Decrypt permissions. We have pre-selected the "KMS decryption permissions" policy template that will automatically add these permissions.

Let me show a simple lambda function write in python:

Check out this example registration screenshot

import boto3
import json
import logging
import os

from base64 import b64decode
from urlparse import parse_qs


ENCRYPTED_EXPECTED_TOKEN = os.environ['kmsEncryptedToken']

kms = boto3.client('kms')
expected_token = kms.decrypt(CiphertextBlob=b64decode(ENCRYPTED_EXPECTED_TOKEN))['Plaintext']

logger = logging.getLogger()
logger.setLevel(logging.INFO)

Hope this helps