How do I configure my Lambda function to use Amazon RDS Proxy to connect to an Amazon RDS database?

4 minute read
0

I want to configure my AWS Lambda function to use Amazon Relational Database Service (Amazon RDS) Proxy to connect to an Amazon RDS database.

Resolution

Prerequisites: Amazon RDS Proxy must be in the same Amazon Virtual Private Cloud (Amazon VPC) VPC as the Amazon RDS database.

To configure the Lambda function to use Amazon RDS Proxy to connect to an Amazon RDS database, complete the following steps.

Create database credentials in Secrets Manager

Complete the following steps:

  1. Open the AWS Secrets Manager console.
  2. Choose Store a new secret.
  3. For Secret type, select Credentials for RDS database.
  4. Enter the username and password for your RDS DB instance.
  5. For Encryption key, choose the AWS Key Management Service (AWS KMS) key that Secrets Manager uses to encrypt the secret value.
  6. For Database, choose your database, and then choose Next.
  7. For Secret name, enter a name, and then choose Next.
  8. Choose Next, and then choose Store.
  9. In Secrets, select the Secrets Manager secret.
  10. In Secret ARN, note the secret ARN.

For more information, see Create an AWS Secrets Manager secret.

Create an IAM policy and role for Amazon RDS Proxy

Create an AWS Identity and Access Management (IAM) role with permissions to use the secret. Example:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "VisualEditor0",
      "Effect": "Allow",
      "Action": [
        "secretsmanager:GetResourcePolicy",
        "secretsmanager:GetSecretValue",
        "secretsmanager:DescribeSecret",
        "secretsmanager:ListSecretVersionIds"
      ],
      "Resource": [
        "[Secret_ARN]"
      ]
    },
    {
      "Sid": "VisualEditor1",
      "Effect": "Allow",
      "Action": [
        "secretsmanager:GetRandomPassword",
        "secretsmanager:ListSecrets"
      ],
      "Resource": "*"
    }
  ]
}

Note: Replace Secret_ARN with your secret ARN.

Then, create a trust policy that allows Amazon RDS to assume the role. Example:

{
 "Version": "2012-10-17",
 "Statement": [
  {
   "Sid": "",
   "Effect": "Allow",
   "Principal": {
    "Service": "rds.amazonaws.com"
   },
   "Action": "sts:AssumeRole"
  }
 ]
}

Create and attach a proxy to a Lambda function

First, create an RDS proxy. Then, complete the following steps to configure your function to connect to the proxy endpoint instead of the database endpoint:

  1. Open the Lambda console.
  2. Choose Functions, and then select your Lambda function.
  3. Choose Configuration, and then choose RDS databases.
  4. Choose Connect to RDS database.
  5. Select your RDS database. Or, select Create a new database, and then configure the following settings:
    For Engine type, select the engine type.
    For DB instance identifier, enter a name for your DB instance.
    For Master username, enter the primary user login ID.
    For VPC, use the default setting. By default, Lambda sets up the RDS database in the same VPC as the function.
  6. Choose the database connection, and then choose Add proxy.
  7. For Existing proxies, select your RDS proxy.
  8. Choose Add.

The proxy connection takes a few minutes to complete. For more information about how to configure an RDS DB instance to use with Lambda, see Configuring your function to work with RDS resources.

(Optional) Verify that your Amazon RDS Proxy uses IAM authentication

If you use the Lambda execution role to authenticate to Amazon RDS Proxy, then complete the following steps:

  1. Open the Amazon RDS console.
  2. In the navigation pane, choose Proxies, and then select your proxy.
  3. Choose Actions, and then choose Modify.
  4. Under Authentication, verify that IAM Authentication is set to Required.

If you experience connection issues, then see Why can't I connect to my Amazon RDS DB or Amazon Aurora DB instance using Amazon RDS Proxy?

For more information, see Using Amazon RDS Proxy with AWS Lambda.

Related information

How do I troubleshoot connection timeout errors from Lambda when trying to access an Amazon RDS DB instance?

How do I configure a Lambda function to connect to an RDS instance?

How do I resolve the "Lambda could not update the function's execution role" error when attaching Amazon RDS Proxy to a Lambda function?

AWS OFFICIAL
AWS OFFICIALUpdated 6 months ago
3 Comments

Can you please how to connect the lambda function with RDS function using CloudFormation Template?

replied a year ago

Thank you for your comment. We'll review and update the Knowledge Center article as needed.

profile pictureAWS
EXPERT
replied a year ago

Comment about "Step 3: Create and attach an RDS proxy to a Lambda function" 3. step: "Choose Configuration, and then choose Add database proxies." There is no such menu in the lambda console at the time of this writing.

profile picture
replied 8 months ago