AWS Parameters and Secrets Lambda Extension Demo Using AWS CDK
🚀 Vu Dao 🚀
Posted on October 30, 2022
Abstract
- The story: AWS launched the AWS Parameters and Secrets Lambda Extension, a convenient method for AWS Lambda users to retrieve parameters from AWS Systems Manager Parameter Store and secrets from AWS Secrets Manager. AWS Lambda customers can leverage this extension to improve their application performance as it decreases the latency and the cost of retrieving parameters and secrets.
- What makes you happy? Until now, parameters and secrets were obtained in the Lambda function process using the AWS SDK or other means. With this extension, these values can be cached and reused during the lifecycle of a Lambda function. This reduces the latency and cost of retrieving parameters and secrets.
- This post uses AWS CDK Typescript to create lambda function URL where its hanlder gets SecureString value of the parameter store.
Table Of Contents
- Pre-requisite
- How lambda handler get Parameter/Secret value through extension layer
- Dive deep into CDK code
- Deploy and Demo
- Conclusion
🚀 Pre-requisite
- You need slack workspace (free) to create slack incoming-webhooks
- Getting started with AWS CDK
🚀 How lambda handler get Parameter/Secret value through extension layer
- To authorize and authenticate Parameter Store requests, the extension uses the same credentials as those used to run the Lambda function itself, so lambda role need to have permission
ssm:GetParameter
andkms:Decrypt
- To use the AWS Parameters and Secrets Lambda Extension, we add the extension to the Lambda function as a layer. The layer ARN differs from region which we can get in retrieving-secrets_lambda_ARNs
-
With the above setup, the lambda hander just call to the GetParameter API to retrieve the value with following input
- Host:
localhost
- Port: 2773
- Header:
X-Aws-Parameters-Secrets-Token
withAWS_SESSION_TOKEN
environment variable - Encode the
queryStringParameters
- Host:
Source code: Here we get the secureString parameter store of slack incoming webhook
SSM_SLACK_WEBHOOK_PRAMETER_NAME='/slack/webhook/url/devops'
def get_ssm_parameter_store():
SSM_SLACK_WEBHOOK_PRAMETER_NAME = os.getenv(
'SSM_SLACK_WEBHOOK_PRAMETER_NAME')
url = 'http://localhost:2773'
header = {'X-Aws-Parameters-Secrets-Token': os.getenv('AWS_SESSION_TOKEN')}
parameter_encode = requests.utils.quote(SSM_SLACK_WEBHOOK_PRAMETER_NAME)
path = f'systemsmanager/parameters/get?name={parameter_encode}&withDecryption=true'
res = requests.get(f'{url}/{path}', headers=header)
if res.status_code == 200:
data = res.json()
return data['Parameter']['Value']
else:
print(
f"Failed to get SSM parameter store {SSM_SLACK_WEBHOOK_PRAMETER_NAME}")
return None
🚀 Dive deep into CDK code
- The cdk is not much, just includes the follwoing stacks:
- CMK (custom managed key): This key is to encrypte the parameter store value
- Lambda role: Provides the function lambda basic execution,
ssm:GetParameter
andkms:Decrypt
restrict to the above CMK only - Lambda function with enable function URL (AuthType:
AWS_IAM
)
- Source code:
main.ts
🚀 Deploy and Demo
- Run
cdk deploy
we will have our resources. Note the output of the lambda function URL
✨ hotswapping resources:
✨ Lambda Function 'sin-d1-parameters-secrets-extension-test'
✨ Lambda Function 'sin-d1-parameters-secrets-extension-test' hotswapped!
✅ aws-parameters-secrets-lambda-extension-cdk-dev
✨ Deployment time: 10.76s
Outputs:
aws-parameters-secrets-lambda-extension-cdk-dev.sind1parameterssecretsextensiontesturl = https://5vz5x3mo2aifykigcgnljuwqzy0izsyy.lambda-url.ap-southeast-1.on.aws/
Stack ARN:
arn:aws:cloudformation:ap-southeast-1:123456789012:stack/aws-parameters-secrets-lambda-extension-cdk-dev/cdd50120-52f4-11ed-ad52-06a9bacec754
✨ Total time: 15.56s
The function URL uses
AWS_IAM
auth type so we must sign each HTTP request using AWS Signature Version 4 (SigV4). Here we use tool awsculr to sign the requestCall request to send
HelloCdkServerless
slack message
~ $ awscurl https://5vz5x3mo2aifykigcgnljuwqzy0izsyy.lambda-url.ap-southeast-1.on.aws/?message=HelloCdkServerless --profile mfa --region ap-southeast-1 --service lambda
null
🚀 Conclusion
- We now have another option to get secret values from parameter store or secret by using AWS Parameters and Secrets Lambda Extension.
- Hope this will be of help to someone else and remember to destroy the stacks after testing
cdk destroy
💖 💪 🙅 🚩
🚀 Vu Dao 🚀
Posted on October 30, 2022
Join Our Newsletter. No Spam, Only the good stuff.
Sign up to receive the latest update from our blog.