How to send cached Secret Manager to RDSDataService
Hello,
We have noticed that our billing regarding the Secret Manager has increased significantly due to the millions of calls made to this service.
Reading the AWS Docs, it looks like it could be solved with ease by implementing the secrets client caching library. https://docs.aws.amazon.com/secretsmanager/latest/userguide/retrieving-secrets_cache-python.html
But we can't figure out how to actually get any benefit of it regarding the following scenario:
- Our Aurora RDS Serverless has the WebServer activated.
- We access to the Data API through AppSync and Lambda.
- All methods of the client RDSDataService only allow to send the "secretArn" parameter, not a cached one.
Then, how can we take advantage of implementing cache?
It seems to us that we are paying for every single executed SQL.
I hope somebody can help us to solve this issue.
Thank you in advanced,
Ignasi
Hi , I understand you have an issue with the increase in your Secret Manager billing and you come across a caching solution which could assist with this. The documentation you shared is a client side caching and dependent on the application, for example if you have a Python application can make us of the caching python guidance [1].
Researching your issue I came across a Lambda caching solution which may be useful to you:- With Lambda a secret can be cached were the Lambda function needs access to Secrets Manager for reading a secret, the secret can get cached as part of the extension start up instead of being fetched as part of Lambda’s first request [2].
In addition, you may want to consider using AWS IAM to Authenticate to your DB instance or cluster instead of Secrets Manager, but it too has limitations [3].
I also advise you have a look at how Secret Manager is billed for better understanding on the API calls being made [4]. Lastly, as you mention it looks like you are being billed per SQL query, you may want to look into these executions and see how it can be narrowed down to only make API calls to Secrets Manager when required or for example fetch the Secrets First and store them in temporary location and run your queries from there.
[1] https://docs.aws.amazon.com/secretsmanager/latest/userguide/retrieving-secrets_cache-python.html
Relevant questions
Accessing AWS Secret Manager outside the AWS environment (such as development evironment set up in our laptop i.e. local machine)
asked 4 months agoHow do I allow EC2 Agent to retrieve Secrets from Secret Manager when using CodeDeploy?
asked 17 days agoHow to pass ARN of DB credentials stored in secret manager to Lambda in CDK?
Accepted Answerasked a month agogreengrass v2 - secret manager - throws "not supported" exception
asked a year agoUnable to get secret for login to external private Container Registry
asked 2 years agoWhat is the best way to integrate AWS Secret Manager with EKS?
Accepted Answerasked 7 months agoUsing Secret Manager for password bug?
asked 3 years agoFailed to fetch secret (temporary issue)
asked a year agossm secret password automation in aws
asked 6 months agoHow to send cached Secret Manager to RDSDataService
asked a month ago