By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Access Secrets manager through VPC Endpoint

0

I have my Lambda function in private subnet of a VPC. I need to access secret manager from my lambda(Python) function. can you please provide me the guide how to create VPC endpoint for secrets manager and how to access the Secrets in lambda function(Python). both lambda and secretes manager present in same AWS account and same region. Please explain me if any other simple way exists to access secrets only though the private subnet.

Topics
Networking & Content DeliveryServerlessComputeSecurity, Identity, & Compliance
Tags
Amazon VPCAWS LambdaAWS Secrets Manager
Language
English
joswa
asked 5 months ago291 views
2 Answers
0

Hi,

You have the whole guidance to create such a VPC endpoint for Secrets Manager here: https://docs.aws.amazon.com/secretsmanager/latest/userguide/vpc-endpoint-overview.html

Then you have a detailled example in https://repost.aws/knowledge-center/lambda-secret-vpc See in particular the resource EC2VPCEndpoint , which gives you the full definition of the endpoint

EC2VPCEndpoint:
        Type: "AWS::EC2::VPCEndpoint"
        Properties:
            VpcEndpointType: "Interface"
            VpcId: !GetAtt EC2Subnet.VpcId
            ServiceName: !Sub "com.amazonaws.${AWS::Region}.secretsmanager"
            PolicyDocument: |
                {
                  "Statement": [
                    {
                      "Action": "*", 
                      "Effect": "Allow", 
                      "Principal": "*", 
                      "Resource": "*"
                    }
                  ]
                }
            SubnetIds: 
              - !Ref EC2Subnet
            PrivateDnsEnabled: true
            SecurityGroupIds: 
              - !Ref EC2SecurityGroup

BTW, as done above, I strongly recommend to use CloudFormation for such advanced constructs: you can put all resource definitions (Lambda, endpoint, secret, IAM policies, etc. ) in one single YAML file and check his coherency via cfn-lint. That is my personal only way to implement similar use cases: it dramatically raises your efficiency.

Best

Didier

profile pictureAWS
EXPERT
Didier_Durand
answered 5 months ago
profile picture
EXPERT
Kallu
reviewed 5 months ago
0

You also can use an existing pattern (CDK, easier than cloud formation) in ServerlessLand: https://serverlessland.com/patterns/lambda-secretsmanager-dotnet-cdk

profile picture
EXPERT
Antonio_Lagrotteria
answered 5 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content