AWS Parameters and Secrets Lambda Extension behaviour

Lambda Extensions for Parameter Store and Secrets Manager does not automatically invalidate the cache when a secret is rotated. The extension caches secrets and parameters for the lifetime of the Lambda function container , which is reused across multiple invocations. The cache expiration is tied to the container's lifecycle rather than the secret's lifecycle.

If you need to ensure that your Lambda function retrieves the updated secrets immediately after a rotation, you have a couple of options:

• Use versioning in your secret names or parameter names, and update your Lambda function code to use the new version when a rotation occurs. This way, the Lambda function will fetch the new version of the secret, bypassing the cached value.
• Trigger a cold start of your Lambda function by increasing the number of concurrent executions or updating the function configuration. This will cause new containers to be created, and the cache will be invalidated in the new containers. However, this approach might have an impact on your function's performance due to the additional overhead of creating new containers.

Hello Sedat,

If the value is retained only till the lifetime of the container's lifecycle what is the purpose of SECRETS_MANAGER_TTL environment variable in the cache?