🐾Lambda cache for Secrets Manager and Parameter Store🐾
🤓 Do you use secrets from Secrets Manager or parameters from Parameter Store in your Lambda functions? If you answer yes, do you use Secrets Lambda Extension to cache retrieved values? This post is for the ones who still don’t use it😉
I was surprised to find that not everyone knows and uses this extension, despite it reducing the number of calls made to the services, lowering cost, and improving the speed of the code.
How it works
Secrets Lambda Extension creates a local HTTP server within the Lambda execution environment. Your Lambda function makes HTTP requests to this local endpoint instead of directly calling AWS services. The extension retrieves and caches values from Secrets Manager or Parameter Store and subsequent requests are served from this local cache until it expires.
Things to consider:
The extension is fully compatible with container-based Lambda functions.
During a cold start, the extension will retrieve values fresh from the source service. This is important to understand for performance optimization.
TTL-based caching mechanism is used. This means it doesn't detect parameter changes and auto-refresh values before TTL expiration.
How to use
1️⃣ Add Parameters and Secrets Lambda Extension layer
You can add the extension to your Lambda function by specifying layer ARN. ARN is unique for each region, for example for Frankfurt it is arn:aws:lambda:eu-central-1:187925254637:layer:AWS-Parameters-and-Secrets-Lambda-Extension.
2️⃣ Configure cache parameters
You can set environment variables for your Lambda function to modify cache settings. For example, you might adjust the TTL settings with SECRETS_MANAGER_TTL and SSM_PARAMETER_STORE_TTL (values in seconds). The full list of parameters can be found in the documentation.
3️⃣ Replace direct calls to Parameter Store or Secrets Manager
You should replace direct AWS SDK calls with HTTP requests to the local endpoint. Here's a Python example for retrieving a secret:
import json
import urllib3
import os
def get_secret(parameter_name):
# Initialize the http client
http = urllib3.PoolManager()
url = f"http://localhost:2773/systemsmanager/parameters/get/?name={parameter_name}"
headers = {"X-Aws-Parameters-Secrets-Token": os.environ.get("AWS_SESSION_TOKEN")}
response = http.request("GET", url, headers=headers)
response_data = json.loads(response.data)
# Parse the JSON response
parameter_value = response_data['Parameter']['Value']
return parameter_value
Thank you for reading, let’s chat 💬
💬 Have you heard about Parameters and Secrets Lambda Extension?
💬 Any issues while using Parameters and Secrets Lambda Extension?
💬 Are you interested in more posts about Lambda functions tips?
I love hearing from readers 🫶🏻 Please feel free to drop comments, questions, and opinions below👇🏻
