https://serverless-stack.com/ logo
Join Slack
Powered by
Is there an example what information I need to pas...
# help
d
Is there an example what information I need to pass from sst.RDS to my lambda to execute a query from?
m
this is what I do
Copy code
/**
   * Generate a database connection string (DSN).
   */
  makeDatabaseUrl() {
    const dbUsername = this.secret?.secretValueFromJson("username")
    const dbPassword = this.secret?.secretValueFromJson("password")

    let url = `postgresql://${dbUsername}:${dbPassword}@${this.clusterEndpoint.hostname}/${this.defaultDatabaseName}`

    if (this.prismaConnectionLimit) url += `?connection_limit=${this.prismaConnectionLimit}`

    return url
  }
d
I’m assuming this code is in your lambda? How do you extract the username and password from your sst.RDS ?
m
no it’s in CDK, i pass it as an env var to the lambda
I use the prisma ORM which expects a DATABSE_URL string
d
Do you use the sst.RDS construct to create your database?
m
i don’t
f
d
how did I miss this… Thanks
@Frank one thing that is confusing me, with RDS, I can have many tables by cluster right?
a
yep, 1 cluster is 1 db with multiple tables.
d
Is there need to add other permissions for this to work? I keep getting:
Copy code
AccessDeniedException: 
  User: arn:aws:sts::855659027122:assumed-role/dg-imac-xxx-core-realtimeLogConsumerServiceRoleC-1DSZ9HPI6CZOD/dg-imac-xxx-core-realtimeLogConsumer1BAE76E4-Dm6cPu8HKwSv 
  is not authorized to perform: 
  secretsmanager:GetSecretValue on resource: 
  arn:aws:secretsmanager:eu-central-1:855659027122:secret:AnalyticsRDSClusterSecretB1-WDS1YQ1WIwbO-rkrJNh because no identity-based policy allows the secretsmanager:GetSecretValue action
The function that is trying to read from the Database is attached to a Kinesis DataStream consumer
a
this is how you should be using the RDS db in your functions - https://docs.serverless-stack.com/database#aurora-rds This looks like a permission issue to me.
d
Yep, I followed the guide. I’m passing the 
clusterArn
and 
secretArn
as well as setting the permission to cluster. But still missing 
secretsmanager:GetSecretValue
a
beside the cluster permission grant, could you add ‘secretsmanager’ and check?
d
I added 
'secretsmanager:GetSecretValue',
and it works with it
a
Haha, alright, guess the example missed it. 😅
f
Hey @Daniel Gato can I see how you are setting the permission? 
secretsmanager:GetSecretValue
should be added automatically.
d
Copy code
const modelsStream = new KinesisStream(this, 'ModelsStream');

// ...

    modelsStream.addConsumers(this, {
      realtimeLogConsumer: {
        function: {
          handler: 'src/functions/realtimeLog.main',
          environment: {
            ANALYTICS_DATABASE_SECRET_ARN: this.analyticsDatabase.secretArn,
            ANALYTICS_DATABASE_CLUSTER_ARN: this.analyticsDatabase.clusterArn,
            IP_LOOKUP_TABLE_NAME: this.ipLookupTable.tableName,
          },
          permissions: [
            this.analyticsDatabase,
            this.ipLookupTable,
            'secretsmanager:GetSecretValue',
          ],
        },
      },
    });
f
@Daniel Gato This is fixed in v0.65.4!
d
Awesome, thanks. Will try a bit later today
Open in Slack
PreviousNext
Powered by