I want to make a write to RDS from lambda. As they both are in different accounts, I created a peering connection between them and also created a secret endpoint to access it. I have a non-rotational secret manager endpoint, I have a lambda handler like
LambdaHandler: Type: AWS::Serverless::Function Properties: Handler: 'com.handle.lambda.handler.LambdaHandler::handleInputFeed' Runtime: java8 CodeUri: # Why are we using this instead of BATS::SAM::CodeS3Bucket Bucket: {'Fn::If' : ['UseBatsKey', 'BATS::SAM::CodeS3Bucket', {"Fn::ImportValue" : {Ref: 'DeploymentBucketImportName'}}]} Key: BATS::SAM::CodeS3Key Description: Example lambda that takes an x and y value and returns the result of adding them. Timeout: 20 Role: Fn::GetAtt: [LambdaRole, Arn] VpcConfig: Fn::If: - RunLambdaInVPC - SecurityGroupIds: [{Ref: LambdaSecurityGroup}] SubnetIds: - {'Fn::ImportValue': PrivateSubnet01} - {'Fn::ImportValue': PrivateSubnet02} - {Ref: 'AWS::NoValue'}How the secret endpoint will be used in this handler and how can I refer to the tables via that? As I am new to this any sample code or doc would be helpful. Not able to find.
Advertisement
Answer
You don’t need to do anything1 , if the Lambda function is running inside the VPC with the endpoint accessible. Depending on the kind of Endpoint (Interface or Gateway) there are some DNS-tricks (Private Hosted Zones set up for you by AWS) employed by AWS to make this seem seamless.
Essentially the code doesn’t need to know it’s talking to a VPC endpoint, that’s handled in the background. There are a couple exceptions that have bitten me in the past – see the footnote. If it doesn’t work, make sure the security groups of the endpoint allow connections from the Lambda functions on Port 443.
1: The exception being IAM and other global services, here you should specify a regional endpoint when instantiating the client.