Skip to content

How to use secret manager endpoint in lambda handler?

I want to make a write to RDS from lambda. As they both are in different accounts, I created a peering connection between them and also created a secret endpoint to access it. I have a non-rotational secret manager endpoint, I have a lambda handler like

    Type: AWS::Serverless::Function
      Handler: 'com.handle.lambda.handler.LambdaHandler::handleInputFeed'
      Runtime: java8
        # Why are we using this instead of BATS::SAM::CodeS3Bucket
        Bucket: {'Fn::If' : ['UseBatsKey', 'BATS::SAM::CodeS3Bucket', {"Fn::ImportValue" : {Ref: 'DeploymentBucketImportName'}}]}
        Key: BATS::SAM::CodeS3Key
      Description: Example lambda that takes an x and y value and returns the result of adding them.
      Timeout: 20
        Fn::GetAtt: [LambdaRole, Arn]
        - RunLambdaInVPC
        - SecurityGroupIds: [{Ref: LambdaSecurityGroup}]
          - {'Fn::ImportValue': PrivateSubnet01}
          - {'Fn::ImportValue': PrivateSubnet02}
        - {Ref: 'AWS::NoValue'}

How the secret endpoint will be used in this handler and how can I refer to the tables via that? As I am new to this any sample code or doc would be helpful. Not able to find.



You don’t need to do anything1 , if the Lambda function is running inside the VPC with the endpoint accessible. Depending on the kind of Endpoint (Interface or Gateway) there are some DNS-tricks (Private Hosted Zones set up for you by AWS) employed by AWS to make this seem seamless.

Essentially the code doesn’t need to know it’s talking to a VPC endpoint, that’s handled in the background. There are a couple exceptions that have bitten me in the past – see the footnote. If it doesn’t work, make sure the security groups of the endpoint allow connections from the Lambda functions on Port 443.

1: The exception being IAM and other global services, here you should specify a regional endpoint when instantiating the client.

User contributions licensed under: CC BY-SA
2 People found this is helpful