Complete a 3 Question Survey and Earn a re:Post Badge

Help improve AWS Support Official channel in re:Post and share your experience - complete a quick three-question survey to earn a re:Post badge!

How do I configure my Lambda function to use Amazon RDS Proxy to connect to an Amazon RDS database?

4 minute read

I want to configure my AWS Lambda function to use Amazon Relational Database Service (Amazon RDS) Proxy to connect to an Amazon RDS database.

Resolution

Prerequisites: Amazon RDS Proxy must be in the same Amazon Virtual Private Cloud (Amazon VPC) VPC as the Amazon RDS database.

To configure the Lambda function to use Amazon RDS Proxy to connect to an Amazon RDS database, complete the following steps.

Create database credentials in Secrets Manager

Complete the following steps:

Open the AWS Secrets Manager console.
Choose Store a new secret.
For Secret type, select Credentials for RDS database.
Enter the username and password for your RDS DB instance.
For Encryption key, choose the AWS Key Management Service (AWS KMS) key that Secrets Manager uses to encrypt the secret value.
For Database, choose your database, and then choose Next.
For Secret name, enter a name, and then choose Next.
Choose Next, and then choose Store.
In Secrets, select the Secrets Manager secret.
In Secret ARN, note the secret ARN.

For more information, see Create an AWS Secrets Manager secret.

Create an IAM policy and role for Amazon RDS Proxy

Create an AWS Identity and Access Management (IAM) role with permissions to use the secret. Example:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "VisualEditor0",
      "Effect": "Allow",
      "Action": [
        "secretsmanager:GetResourcePolicy",
        "secretsmanager:GetSecretValue",
        "secretsmanager:DescribeSecret",
        "secretsmanager:ListSecretVersionIds"
      ],
      "Resource": [
        "[Secret_ARN]"
      ]
    },
    {
      "Sid": "VisualEditor1",
      "Effect": "Allow",
      "Action": [
        "secretsmanager:GetRandomPassword",
        "secretsmanager:ListSecrets"
      ],
      "Resource": "*"
    }
  ]
}

Note: Replace Secret_ARN with your secret ARN.

Then, create a trust policy that allows Amazon RDS to assume the role. Example:

{
 "Version": "2012-10-17",
 "Statement": [
  {
   "Sid": "",
   "Effect": "Allow",
   "Principal": {
    "Service": "rds.amazonaws.com"
   },
   "Action": "sts:AssumeRole"
  }
 ]
}

Create and attach a proxy to a Lambda function

First, create an RDS proxy. Then, complete the following steps to configure your function to connect to the proxy endpoint instead of the database endpoint:

Open the Lambda console.
Choose Functions, and then select your Lambda function.
Choose Configuration, and then choose RDS databases.
Choose Connect to RDS database.
Select your RDS database. Or, select Create a new database, and then configure the following settings:
For Engine type, select the engine type.
For DB instance identifier, enter a name for your DB instance.
For Master username, enter the primary user login ID.
For VPC, use the default setting. By default, Lambda sets up the RDS database in the same VPC as the function.
Choose the database connection, and then choose Add proxy.
For Existing proxies, select your RDS proxy.
Choose Add.

The proxy connection takes a few minutes to complete. For more information about how to configure an RDS DB instance to use with Lambda, see Configuring your function to work with RDS resources.

(Optional) Verify that your Amazon RDS Proxy uses IAM authentication

If you use the Lambda execution role to authenticate to Amazon RDS Proxy, then complete the following steps:

Open the Amazon RDS console.
In the navigation pane, choose Proxies, and then select your proxy.
Choose Actions, and then choose Modify.
Under Authentication, verify that IAM Authentication is set to Required.

If you experience connection issues, then see Why can't I connect to my Amazon RDS DB or Amazon Aurora DB instance using Amazon RDS Proxy?

For more information, see Using Amazon RDS Proxy with AWS Lambda.

Related information

How do I troubleshoot connection timeout errors from Lambda when trying to access an Amazon RDS DB instance?

How do I configure a Lambda function to connect to an RDS instance?

How do I resolve the "Lambda could not update the function's execution role" error when attaching Amazon RDS Proxy to a Lambda function?

Topics

Serverless Compute

Relevant content

Which is preferred, Lambda->RDS Proxy->RDS or Lambda->RDS?
Accepted Answer
Toshinori Suzuki
asked 7 months ago
AWS Lambda in Java Cannot Connect to RDS using password: Access Denied Error for User 'admin'
Accepted Answer
rohan
asked a year ago
Evaluating RDS Proxy for Lambda functions performing queries on Aurora RDS Serverless v2 database
Accepted Answer
Michael Lawrence
asked a year ago
Authentication Error while trying to connect to a RDS Proxy from .NET Lambda using IAM Authentication
Sab
asked 5 months ago
Understanding RDS Proxy Database Connection Scaling: Why Are There Too Many Open Connections During Peak Hours?
Missaka
asked 2 months ago
How do I troubleshoot connection timeout errors from Lambda when trying to access an Amazon RDS DB instance?
AWS OFFICIALUpdated 4 years ago
How do I configure a Lambda function to connect to an RDS instance?
AWS OFFICIALUpdated a month ago
How do I use Amazon RDS Proxy to connect to my Amazon RDS for MySQL DB instance or Aurora MySQL-Compatible DB cluster?
AWS OFFICIALUpdated 4 months ago
Why can't I connect to my Amazon RDS DB or Amazon Aurora DB instance using RDS Proxy?
AWS OFFICIALUpdated 2 years ago
Setting up AWS IAM Authentication with Amazon RDS Proxy for Aurora PostgreSQL
EXPERT
nareshrajaram
published 9 months ago