How can I configure my Lambda function to connect to an Amazon RDS database using Amazon RDS Proxy?

4 minute read

I want to configure my AWS Lambda function to connect to an Amazon Relational Database Service (Amazon RDS) database using Amazon RDS Proxy.

Short description

You can create an Amazon RDS Proxy database for your Lambda function. A database proxy manages a pool of database connections and relays queries from a function. This lets a function reach high concurrency levels without exhausting database connections.

For more information, see Configuring database access for a Lambda function.

Resolution

Follow these instructions to configure Amazon RDS Proxy with a Lambda function.

Note: Amazon RDS Proxy must be in the same Amazon Virtual Private Cloud (Amazon VPC) as the Amazon RDS database. Configure the Lambda function with Amazon VPC to access the Amazon RDS Proxy.

Step 1: Create database credentials in AWS Secrets Manager

1. Open the Secrets Manager console, and then choose Store a new secret.

2. For Secret type, choose Credentials for RDS Database.

3. Enter the user name and password for your Amazon RDS database instance.

4. For Encryption key, choose the AWS Key Management Service (AWS KMS) key that Secrets Manager uses to encrypt the secret value**.**

5. For Database, choose your database, and then choose Next.

6. For Secret name, enter a name, choose Next, choose Next again, and then choose Store.

7. In Secrets, choose the Secrets Manager secret that you created.

8. In Secret ARN, copy the ARN to use in another step.

For more information, see Create an AWS Secrets Manager database secret.

Step 2: Create an AWS Identity and Access Management (IAM) policy and role for Amazon RDS Proxy

Create an IAM role with permission to use the secret, and then create a trust policy that allows Amazon RDS to assume the role.

Example IAM Secrets Manager policy

Note: Replace Secret_ARN with the Secrets Manager ARN that you previously copied**.**

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "VisualEditor0",
      "Effect": "Allow",
      "Action": [
        "secretsmanager:GetResourcePolicy",
        "secretsmanager:GetSecretValue",
        "secretsmanager:DescribeSecret",
        "secretsmanager:ListSecretVersionIds"
      ],
      "Resource": [
        "[Secret_ARN]"
      ]
    },
    {
      "Sid": "VisualEditor1",
      "Effect": "Allow",
      "Action": [
        "secretsmanager:GetRandomPassword",
        "secretsmanager:ListSecrets"
      ],
      "Resource": "*"
    }
  ]
}

Example IAM RDS trust policy

{
 "Version": "2012-10-17",
 "Statement": [
  {
   "Sid": "",
   "Effect": "Allow",
   "Principal": {
    "Service": "rds.amazonaws.com"
   },
   "Action": "sts:AssumeRole"
  }
 ]
}

Step 3: Create and attach an RDS proxy to a Lambda function

1. Open the Functions page in the Lambda console.

2. In Functions, choose your Lambda function.

3. Choose Configuration, and then choose Add database proxies.

4. Enter the following variables:
Proxy identifier: The name of the proxy.
RDS DB instance: A supported MySQL or PostgreSQL DB instance or cluster.
Secret: The Secrets Manager that you created.
IAM role: The IAM role that you created.
Authentication: Choose Password to connect with database credentials or choose Execution role to use the function's IAM credentials for authentication.

5. Choose Add.

The proxy creation takes a few minutes to complete. When the proxy is available, configure your function to connect to the proxy endpoint instead of the database endpoint. For more information, see Creating a database proxy (console).

Step 4: (Optional) Confirm that your Amazon RDS Proxy is using IAM authentication

The following steps are required only if you're using the Lambda execution role to authenticate to Amazon RDS Proxy.

1. Open the Amazon RDS console.

2. In the navigation pane, choose Proxies, and then choose your proxy.

3. Choose Actions, and then choose Modify.

4. In Connectivity module, make sure that IAM Authentication is set to Required.

Note: If you experience connection issues, then see Why can't I connect to my Amazon RDS DB or Amazon Aurora DB instance using RDS Proxy? For more information, see Using Amazon RDS Proxy with AWS Lambda.

Related information

How do I troubleshoot connection timeout errors from Lambda when trying to access an Amazon RDS DB instance?

How do I configure a Lambda function to connect to an RDS instance?

How do I resolve the "Lambda could not update the function's execution role" error when attaching Amazon RDS Proxy to a Lambda function?

Topics

Serverless Compute

Relevant content

Why can't I find my RDS database from my lambda function?
AWS-User-0616660
asked a year ago
Handler error when connecting lambda function to RDS database
AWS-User-0616660
asked a year ago
Connecting to Aurora PostgreSQL RDS database on a private subnet using RDS Proxy
DavidDuBois
asked 7 months ago
next.js on Amplify: how to connect to an RDS database?
nil
asked 3 months ago
Using AWS Lambda with RDS Proxy: Socket Ended Error
fdizdar
asked a year ago
How do I configure a Lambda function to connect to an RDS instance?
AWS OFFICIALUpdated a month ago
How do I connect to my Amazon RDS MySQL DB instance or Aurora MySQL DB cluster using Amazon RDS Proxy?
AWS OFFICIALUpdated 3 years ago
How can I connect to my Amazon RDS DB instance using a bastion host from my Linux/macOS machine?
AWS OFFICIALUpdated a year ago
How can I connect to a private Amazon RDS DB instance from a local machine using an Amazon EC2 instance as a bastion host?
AWS OFFICIALUpdated 2 months ago
Streaming state changes from a relational database
EXPERT
Tasio
published 8 months ago