DEV Community

hayao-k for AWS Community Builders

Posted on • Originally published at hayao-k.dev

How to use AWS Parameters and Secrets Lambda Extension

What is AWS Parameters and Secrets Lambda Extension?

https://aws.amazon.com/jp/about-aws/whats-new/2022/10/aws-parameters-secrets-lambda-extension/

This extension can be used to retrieve parameters from the AWS Systems Manager Parameter Store and secrets from the AWS Secrets Manager.

What makes you happy?

Until now, parameters and secrets were obtained in the Lambda function process using the AWS SDK or other means.

With this extension, these values can be cached and reused during the lifecycle of a Lambda function. This reduces the latency and cost of retrieving parameters and secrets.

Basic usage

Please refer to each documents for details.

https://docs.aws.amazon.com/systems-manager/latest/userguide/ps-integration-lambda-extensions.html

https://docs.aws.amazon.com/secretsmanager/latest/userguide/retrieving-secrets_lambda.html

Set Layer of the extension to Lambda function

Lambda Extension is made available by configuring Lambda Layers. In Managed Console, AWS Parameters and Secrets Lambda Extension could be selected in the AWS layer.

Image description

When configuring from the CLI or other means, specify the ARN of the published Layer. A list of ARNs for each region is provided in the documentation.

Write HTTP GET code in the function

Using this Extension eliminates processing in the AWS SDK, but the code to retrieve the value with an HTTP GET request is still required. See the second half of this post for the sample code.

Change IAM policy for execution role

The extension uses the credentials of the IAM role used to execute the Lambda function itself. Therefore, an appropriate IAM policy must be set up to retrieve parameters and secrets. For example, for the Parameter Store, ssm:GetParameter and kms:Decrypt (when using SecureString) are required.

(Optional) Set environment variables for functions

TTL for the cache, log level, etc., can be controlled by setting environment variables for the Lambda function.

Sample Code

This is an example of referencing Amazon Linux 2 AMI public parameters.

Notes are as follows.

  • / in the parameter name must be encoded
  • The extension's local HTTP server port starts at default 2773
    • It can be changed via the environment variable PARAMETERS_SECRETS_EXTENSION_HTTP_PORT
  • Header 'X-Aws-Parameters-Secrets-Token' with AWS_SESSION_TOKEN environment variable must be added
    • If not specified, it will be 401 unauthorized.
const https = require('http');

exports.handler = function(event, context, callback) {

    const options = {
        hostname: 'localhost',
        port: 2773,
        path: '/systemsmanager/parameters/get/?name=%2Faws%2Fservice%2Fami-amazon-linux-latest%2Famzn-ami-hvm-x86_64-gp2',
        headers: {
            'X-Aws-Parameters-Secrets-Token': process.env.AWS_SESSION_TOKEN
        },
        method: 'GET'
    };

    const req = https.request(options, res => {
        res.on('data', d => {
            console.log("Response from cache: "+d);
            return d;
        });
    });

    req.on('error', error => {
        console.error(error);
    });

    req.end();
};
Enter fullscreen mode Exit fullscreen mode

The log of the execution result looks like this You got the parameter values!

[AWS Parameters and Secrets Lambda Extension] 2022/10/19 06:51:08 PARAMETERS_SECRETS_EXTENSION_LOG_LEVEL is not present. Log level set to info.
[AWS Parameters and Secrets Lambda Extension] 2022/10/19 06:51:08 INFO Systems Manager Parameter Store and Secrets Manager Lambda Extension 1.0.94
[AWS Parameters and Secrets Lambda Extension] 2022/10/19 06:51:08 INFO Serving on port 2773
EXTENSION   Name: AWSParametersAndSecretsLambdaExtension    State: Ready    Events: [INVOKE,SHUTDOWN]
START RequestId: bb5bcc53-38cc-42d7-9dc5-xxxxxxxxxxxx Version: $LATEST
[AWS Parameters and Secrets Lambda Extension] 2022/10/19 06:51:08 INFO ready to serve traffic
2022-10-19T06:51:09.247Z    bb5bcc53-38cc-42d7-9dc5-xxxxxxxxxxxx    INFO    Response from cache: {"Parameter":{"ARN":"arn:aws:ssm:ap-northeast-1::parameter/aws/service/ami-amazon-linux-latest/amzn-ami-hvm-x86_64-gp2","DataType":"text","LastModifiedDate":"2022-10-04T17:56:51.889Z","Name":"/aws/service/ami-amazon-linux-latest/amzn-ami-hvm-x86_64-gp2","Selector":null,"SourceResult":null,"Type":"String","Value":"ami-0fb16641312307fa9","Version":49},"ResultMetadata":{}}
END RequestId: bb5bcc53-38cc-42d7-9dc5-xxxxxxxxxxxx
REPORT RequestId: bb5bcc53-38cc-42d7-9dc5-xxxxxxxxxxxx  Duration: 796.05 ms Billed Duration: 797 ms Memory Size: 128 MB Max Memory Used: 76 MB  Init Duration: 324.74 ms
Enter fullscreen mode Exit fullscreen mode

I hope this will be of help to someone else.

Top comments (6)

Collapse
 
farzanajuthi profile image
farzana-juthi

Informative and simply described. :)

Collapse
 
anandkhatri profile image
Anand Khatri

Hi @hayao-k
Thanks for the detail explanation.
I have one question, Can I use this extension across different VPCs? for example: My Lmabda function is in VPC-A and Secret Manager in VPC-B, and to access secret manager I have created VPC endpoint for secret manager service.
So having Lambda and SM in separate VPCs and through the VPC endpoint URL, is it possible with extension?

Your help/input much appreciated.

Collapse
 
hayao_k profile image
hayao-k

Perhaps Lambda Extention cannot specify the DNS name of the VPC Endpoint.
It would be possible by attaching a route 53 private hosted zone to VPC A so that the IP address of VPC Endpoint in VPC B can be name resolved.

Collapse
 
anandkhatri profile image
Anand Khatri

I think we should not attach route 53 and other AWS resource to access secrets and I feel it would be over engineering.

Collapse
 
namm2248 profile image
Namrata

Hey, did you figure it out?

Collapse
 
anandkhatri profile image
Anand Khatri

No Namrata, haven't receive any update/comment on my question.