What is AWS Parameters and Secrets Lambda Extension?
https://aws.amazon.com/jp/about-aws/whats-new/2022/10/aws-parameters-secrets-lambda-extension/
This extension can be used to retrieve parameters from the AWS Systems Manager Parameter Store and secrets from the AWS Secrets Manager.
What makes you happy?
Until now, parameters and secrets were obtained in the Lambda function process using the AWS SDK or other means.
With this extension, these values can be cached and reused during the lifecycle of a Lambda function. This reduces the latency and cost of retrieving parameters and secrets.
Basic usage
Please refer to each documents for details.
https://docs.aws.amazon.com/systems-manager/latest/userguide/ps-integration-lambda-extensions.html
https://docs.aws.amazon.com/secretsmanager/latest/userguide/retrieving-secrets_lambda.html
Set Layer of the extension to Lambda function
Lambda Extension is made available by configuring Lambda Layers. In Managed Console, AWS Parameters and Secrets Lambda Extension could be selected in the AWS layer.
When configuring from the CLI or other means, specify the ARN of the published Layer. A list of ARNs for each region is provided in the documentation.
Write HTTP GET code in the function
Using this Extension eliminates processing in the AWS SDK, but the code to retrieve the value with an HTTP GET request is still required. See the second half of this post for the sample code.
Change IAM policy for execution role
The extension uses the credentials of the IAM role used to execute the Lambda function itself. Therefore, an appropriate IAM policy must be set up to retrieve parameters and secrets. For example, for the Parameter Store, ssm:GetParameter and kms:Decrypt (when using SecureString) are required.
(Optional) Set environment variables for functions
TTL for the cache, log level, etc., can be controlled by setting environment variables for the Lambda function.
Sample Code
This is an example of referencing Amazon Linux 2 AMI public parameters.
Notes are as follows.
-
/
in the parameter name must be encoded - The extension's local HTTP server port starts at default 2773
- It can be changed via the environment variable PARAMETERS_SECRETS_EXTENSION_HTTP_PORT
- Header 'X-Aws-Parameters-Secrets-Token' with AWS_SESSION_TOKEN environment variable must be added
- If not specified, it will be 401 unauthorized.
const https = require('http');
exports.handler = function(event, context, callback) {
const options = {
hostname: 'localhost',
port: 2773,
path: '/systemsmanager/parameters/get/?name=%2Faws%2Fservice%2Fami-amazon-linux-latest%2Famzn-ami-hvm-x86_64-gp2',
headers: {
'X-Aws-Parameters-Secrets-Token': process.env.AWS_SESSION_TOKEN
},
method: 'GET'
};
const req = https.request(options, res => {
res.on('data', d => {
console.log("Response from cache: "+d);
return d;
});
});
req.on('error', error => {
console.error(error);
});
req.end();
};
The log of the execution result looks like this You got the parameter values!
[AWS Parameters and Secrets Lambda Extension] 2022/10/19 06:51:08 PARAMETERS_SECRETS_EXTENSION_LOG_LEVEL is not present. Log level set to info.
[AWS Parameters and Secrets Lambda Extension] 2022/10/19 06:51:08 INFO Systems Manager Parameter Store and Secrets Manager Lambda Extension 1.0.94
[AWS Parameters and Secrets Lambda Extension] 2022/10/19 06:51:08 INFO Serving on port 2773
EXTENSION Name: AWSParametersAndSecretsLambdaExtension State: Ready Events: [INVOKE,SHUTDOWN]
START RequestId: bb5bcc53-38cc-42d7-9dc5-xxxxxxxxxxxx Version: $LATEST
[AWS Parameters and Secrets Lambda Extension] 2022/10/19 06:51:08 INFO ready to serve traffic
2022-10-19T06:51:09.247Z bb5bcc53-38cc-42d7-9dc5-xxxxxxxxxxxx INFO Response from cache: {"Parameter":{"ARN":"arn:aws:ssm:ap-northeast-1::parameter/aws/service/ami-amazon-linux-latest/amzn-ami-hvm-x86_64-gp2","DataType":"text","LastModifiedDate":"2022-10-04T17:56:51.889Z","Name":"/aws/service/ami-amazon-linux-latest/amzn-ami-hvm-x86_64-gp2","Selector":null,"SourceResult":null,"Type":"String","Value":"ami-0fb16641312307fa9","Version":49},"ResultMetadata":{}}
END RequestId: bb5bcc53-38cc-42d7-9dc5-xxxxxxxxxxxx
REPORT RequestId: bb5bcc53-38cc-42d7-9dc5-xxxxxxxxxxxx Duration: 796.05 ms Billed Duration: 797 ms Memory Size: 128 MB Max Memory Used: 76 MB Init Duration: 324.74 ms
I hope this will be of help to someone else.
Top comments (6)
Informative and simply described. :)
Hi @hayao-k
Thanks for the detail explanation.
I have one question, Can I use this extension across different VPCs? for example: My Lmabda function is in VPC-A and Secret Manager in VPC-B, and to access secret manager I have created VPC endpoint for secret manager service.
So having Lambda and SM in separate VPCs and through the VPC endpoint URL, is it possible with extension?
Your help/input much appreciated.
Perhaps Lambda Extention cannot specify the DNS name of the VPC Endpoint.
It would be possible by attaching a route 53 private hosted zone to VPC A so that the IP address of VPC Endpoint in VPC B can be name resolved.
I think we should not attach route 53 and other AWS resource to access secrets and I feel it would be over engineering.
Hey, did you figure it out?
No Namrata, haven't receive any update/comment on my question.