aws secrets manager How to Retrieve Secrets Stored in AWS Secrets Manager with AWS Lambda Using Hands-on Labs

[Whizlabs]

AWS Secrets Manager serves as a centralized and user-friendly solution for effectively handling access to all your secrets within the AWS cloud environment. It simplifies the process of rotating, maintaining, and recovering essential items such as database credentials and API keys throughout their lifecycle. 

A solid grasp of the AWS Secrets Manager concept is a valuable asset on the path to becoming an AWS Certified Developer.

In this blog, you are going to see how to retrieve the secrets that exist in the AWS Service Manager with the help of AWS Lambda in virtual lab settings.

Let’s dive in!

What is a Secret Manager in AWS?

AWS Secrets Manager is a tool that assists in safeguarding confidential information required to access your applications, services, and IT assets. This service makes it simple to regularly change, oversee, and access things like database credentials and API keys securely.

Consider the AWS Secrets Manager example, users and applications can retrieve these secrets using specific APIs, eliminating the necessity of storing sensitive data in plain text within the code. This enhances security and simplifies the management of secret information.

AWS Secrets Manager Pricing

AWS Secrets Manager operates on a pay-as-you-go basis, where your costs are determined by the number of secrets you store and the API calls you make. The service is transparent, with no hidden fees or requirements for long-term commitments. 

Additionally, there is a 30-day AWS Secrets Manager free tier period, which begins when you store your initial secret, allowing you to explore AWS Secrets Manager without any charges. Once the free trial period ends, you will be billed at a rate of $0.40 per secret each month, and $0.05 for every 10,000 API calls.

AWS Secrets Manager Vs Parameter Score

What are AWS Lambda functions?

AWS Lambda is a service for creating applications that eliminates the need to manually set up or oversee servers.

AWS Lambda functions frequently require access to sensitive information like certificates, API keys, or database passwords. It’s crucial to keep these secrets separate from the function code to prevent exposing them in the source code of your application. By using an external secrets manager, you can enhance security and avoid unintentional exposure. 

Secrets managers offer benefits like access control, auditing, and the ability to manage secret rotation. It’s essential not to store secrets in Lambda configuration environment variables, as these can be seen by anyone with access to view the function’s configuration settings.

Architecture Diagram for retrieving secretes in AWS Secrets Manager with AWS Lambda

When Lambda invokes your function for the first time, it creates a runtime environment. First, it runs the function’s initialization code, which includes everything outside of the main handler. 

After that, Lambda executes the function’s handler code, which receives the event payload and processes your application’s logic. For subsequent invocations, Lambda can reuse the same runtime environment.

To access secrets, you have a couple of options. One way is to retrieve the secret during each function invocation from within your handler code. This ensures you always have the most up-to-date secret, but it can lead to longer execution times and higher costs, as you’re making a call to the secret manager every time. There may also be additional costs associated with retrieving secrets from the Secret Manager.

Another approach is to retrieve the secret during the function’s initialization process. This means you fetch the secret once when the runtime environment is set up, and then you can reuse that secret during subsequent invocations, improving cost efficiency and performance.

The Serverless Land pattern example demonstrates how to retrieve a secret during the initialization phase using Node.js and top-level await.

If the secret might change between invocations, make sure your handler can verify the secret’s validity and, if necessary, retrieve the updated secret.

Another method to optimize this process is to use Lambda extensions. These extensions can fetch secrets from Secrets Manager, cache them, and automatically refresh the cache based on a specified time interval. The extension retrieves the secret from Secrets Manager before the initialization process and provides it via a local HTTP endpoint. 

Your function can then get the secret from this local endpoint, which is faster than direct retrieval from Secrets Manager. 

Moreover, you can share the extension among multiple functions, reducing code duplication. The extension takes care of refreshing the cache at the right intervention to ensure that your function always has access to the most recent secret, which enhances reliability.

Guidelines to retrieve secrets stored in AWS Secrets Manager with AWS Lambda

To retrieve the secrets retained in the AWS Secret Manager with the help of AWS Lambda, you can follow these guided instructions:

First, you need to access the Whizlabs Labs library. Click on guided labs on the left side of the lab’s homepage and enter the lab name in the search lab tab.

 

Now, you have found the guided lab for the topic you have entered in the search tab. 

 

By clicking on this lab, you can see the lab overview section. Upon reviewing the lab instructions, you may initiate the lab by selecting the “Start Lab” option located on the right side of the screen.

Tasks involved in this guided lab are as follows:

Task 1: Sign in to the AWS Management Console

Start by accessing the AWS Management Console and set the region to N. Virginia a.You need to ensure that you do not edit or remove the 12-digit Account ID in the AWS Console.

Copy your username and password from the Lab Console, then paste them into the IAM Username and Password fields in the AWS Console. Afterward, click the ‘Sign in’ button.

Task 2: Create a Lambda Function

• Navigate to the Lambda service.
• Create a new Lambda function named “WhizFunction” with the runtime set to Python 3.8.
• Configure the function’s execution role and use the existing role named “Lambda_Secret_Access.”
• Adjust the function’s timeout to 2 minutes.

Adjust the function’s timeout to 2 minutes.

Task 3: Write a Lambda to Hard-code Access Keys

• Develop a Lambda function that creates a DynamoDB table and inserts items. This code will include hard-coded access keys.
• Download the code provided in the lab document.

• Replace the existing code in the Lambda function “WhizFunction” with the code from “Code1” in the downloaded zip file.
• Make sure to change the AWS Access Key and AWS Secret Access Key as instructed in the lab document.
• Deploy the code and configure a test event named “WhizEvent.”

• Run the test to create a DynamoDB table with i followed by configuration of the test event.

Now click on the save button and click the test button to execute the code. The DynamoDB table was created successfully with some data fields.

Task 4: View the DynamoDB Table in the Console

• Access the DynamoDB service by searching service in the top left corner.

• In the “Tables” section, you will find a table named “Whizlabs_stud_table1.”
• You can view the items within the table by selecting the table and clicking “Explore table items.”

Task 5: Write a Lambda Code to Return Table Data

• Modify the Lambda function “WhizFunction” to write code that retrieves data from the DynamoDB table.
• Replace the existing code with the code from “Code2” in the lab document, making the necessary AWS Access Key and AWS Secret Access Key changes.

• Deploy the code and execute a test to enable the Lambda function to return data from the table.

Task 6: Create a Secret Manager to Store Access Keys

• Access AWS Secrets Manager and make sure you are in the N. Virginia Region.
• Create a new secret by specifying it as “Other Type of Secret.”
• Enter the Access Key and Secret Access Key as key-value pairs.

• Choose the default encryption key.
• Name the secret “whizsecret” and proceed with the default settings. Review and store the secret and copy the Secret ARN for later use.

Task 7: Write a Lambda to Create DynamoDB Items Using Secrets Manager

• Modify the Lambda function to create a new DynamoDB table and insert items by retrieving access keys from Secrets Manager.
• Replace the code with the code from “Code3” in the lab document, updating the Secret ARN.

Deploy the code and run a test to create the DynamoDB table and items securely.

Task 8: View the DynamoDB Table in the Console

• Access the DynamoDB service.
• In the “Tables” section, you will find a table named “Whizlabs_stud_table2.”

To view the items, select the table and click “Explore table items.”

Task 9: Write a Lambda Code to View Table Items Using Secrets Manager.

• Modify the Lambda function to write code that fetches table items securely using access and secret keys stored in Secrets Manager.
• Replace the code with the code from “Code4” in the lab document, updating the Secret ARN.
• Deploy the code and execute a test to securely access and view table items.

Task 10: Cleanup AWS Resources

• Finally, you can delete the Lambda function “WhizFunction.”
• Delete both DynamoDB tables created.
• Delete the secret “whizsecret” from AWS Secrets Manager.
• Schedule its deletion with a waiting period of 7 days to ensure cleanup.

Finally, end the lab by signing out from the AWS Management console.

Also Read : Free AWS Developer Associate Exam Questions

FAQs

How much does the AWS Secret Manager parameter store cost?

Parameter Store doesn’t incur any extra costs. However, there is a maximum limit of 10,000 parameters that you can store.

What can be stored in AWS secrets manager?

AWS Secrets Manager serves as a versatile solution for storing and managing a variety of sensitive information. This includes but is not limited to database credentials, application credentials, OAuth tokens, API keys, and various other secrets essential for different aspects of your operations. It’s important to note that several AWS services seamlessly integrate with Secrets Manager to securely handle and utilize these confidential data points throughout their entire lifecycle.

What is the length limit for the AWS secrets manager?

In the Secrets Manager console, data is stored in the form of a JSON structure, consisting of key/value pairs that can be easily parsed by a Lambda rotation function. AWS Secret manager limits range from 1 character to 65536 characters. Also, it’s important to note that the tag key names in Secrets Manager are case-sensitive.

What are the benefits of AWS Secrets Manager?

Secrets Manager provides a secure way to save and oversee your credentials. It makes the process of modifying or rotating your credentials easy, without requiring any complex code or configuration adjustments. Instead of embedding credentials directly in your code or configuration files, you can opt to store them safely using Secrets Manager.

What is the best practice for an AWS secrets manager?

You can adhere to the below listed AWS Secrets Manager best practices to carry out the secret storing in a better way:

• Make sure that the AWS Secrets Manager service applies encryption for data at rest by using Key Management Service (KMS) Customer Master Keys (CMKs). 
• Ensure that automatic rotation is turned on for your Amazon Secrets Manager secrets.
•  Also, confirm that the rotation schedule for Amazon Secrets Manager is set up correctly.

Conclusion

Hope this blog equips you with the knowledge and skills to effectively manage secrets within AWS, ensuring the protection of your critical data.

Following the above AWS Secrets Manager tutorial steps can help to access the sensitive information stored in Secret Manager securely with the usage of AWS Lambda.

You can also opt for AWS Sandbox to play around with the AWS platform.

View the full article