By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

How to send cached Secret Manager to RDSDataService

0

Hello,

We have noticed that our billing regarding the Secret Manager has increased significantly due to the millions of calls made to this service.

Reading the AWS Docs, it looks like it could be solved with ease by implementing the secrets client caching library. https://docs.aws.amazon.com/secretsmanager/latest/userguide/retrieving-secrets_cache-python.html

But we can't figure out how to actually get any benefit of it regarding the following scenario:

  • Our Aurora RDS Serverless has the WebServer activated.
  • We access to the Data API through AppSync and Lambda.
  • All methods of the client RDSDataService only allow to send the "secretArn" parameter, not a cached one.

Then, how can we take advantage of implementing cache?

It seems to us that we are paying for every single executed SQL.

I hope somebody can help us to solve this issue.

Thank you in advanced,

Ignasi

Topics
ServerlessFront-End Web & MobileApplication IntegrationComputeSecurity, Identity, & Compliance
Tags
AWS AppSyncServerlessAWS LambdaAWS Secrets ManagerCaching
Language
English
ignasi
asked 2 years ago277 views
1 Answer
0

Hi , I understand you have an issue with the increase in your Secret Manager billing and you come across a caching solution which could assist with this. The documentation you shared is a client side caching and dependent on the application, for example if you have a Python application can make us of the caching python guidance [1].

Researching your issue I came across a Lambda caching solution which may be useful to you:- With Lambda a secret can be cached were the Lambda function needs access to Secrets Manager for reading a secret, the secret can get cached as part of the extension start up instead of being fetched as part of Lambda’s first request [2].

In addition, you may want to consider using AWS IAM to Authenticate to your DB instance or cluster instead of Secrets Manager, but it too has limitations [3].

I also advise you have a look at how Secret Manager is billed for better understanding on the API calls being made [4]. Lastly, as you mention it looks like you are being billed per SQL query, you may want to look into these executions and see how it can be narrowed down to only make API calls to Secrets Manager when required or for example fetch the Secrets First and store them in temporary location and run your queries from there.

[1] https://docs.aws.amazon.com/secretsmanager/latest/userguide/retrieving-secrets_cache-python.html

[2] https://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/cache-secrets-using-aws-lambda-extensions.html

[3] https://docs.amazonaws.cn/en_us/AmazonRDS/latest/AuroraUserGuide/UsingWithRDS.IAMDBAuth.html#UsingWithRDS.IAMDBAuth.Limitations

[4] https://aws.amazon.com/secrets-manager/pricing/

Lwazi
answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content