- Newest
- Most votes
- Most comments
Please note API Gateway itself doesn't directly access Secret Manager. It's primarily a proxy that routes requests to backend services. To achieve your goal, you can use a Lambda function as a backend service to fetch the secret and return it to API Gateway.
AWS Parameters and Secrets Lambda Extension can retrieve and cache AWS Secrets Manager secrets in Lambda functions. The extension can retrieve both Secrets Manager secrets and Parameter Store parameters. See: Parameter Store integration with Lambda extensions in the AWS Systems Manager User Guide
I suggest you enable debug logging for the AWS Parameters and Secrets Lambda Extension By default, the extension logs a minimal amount of information to CloudWatch. To log more details, set the environment variable PARAMETERS_SECRETS_EXTENSION_LOG_LEVEL to debug.
The other answer is good but it leads to a question in return:
Why do this? Why not just call Secrets Manager and get the secret directly? Why add API Gateway to the mix?
Because I don't want to use Client Id and and Secret
Ok, so a Lambda function is probably the right way to go. Assuming that your callers/users are authenticated another way to go would be to use Cognito to authenticate the users then vend temporary credentials to the client that are scoped to only access the appropriate secret(s) in Secrets Manager. Using Lambda is conceptually easier if you're already using API Gateway but having the client call Secrets Manager directly is more scalable and potentially less costly.
Relevant content
- asked 15 days ago
- asked 2 years ago
- AWS OFFICIALUpdated 19 days ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 9 days ago
- AWS OFFICIALUpdated 3 days ago
Using Lambda, I need to use Client Id and and Client Secret to fetch secrets, right? Any way to fetch secrets without using Client Id and and Client Secret, just like API Gateway?
No, you can assign a role to the Lambda function which has access to the secrets that you specify; then you don't need to manage any credentials for the Lambda function as it is done automatically.