https://serverless-stack.com/ logo
#help
Title
# help
d

Daniel Gato

02/18/2022, 4:24 PM
Is there an example what information I need to pass from sst.RDS to my lambda to execute a query from?
m

Mischa Spiegelmock

02/18/2022, 4:34 PM
this is what I do
Copy code
/**
   * Generate a database connection string (DSN).
   */
  makeDatabaseUrl() {
    const dbUsername = this.secret?.secretValueFromJson("username")
    const dbPassword = this.secret?.secretValueFromJson("password")

    let url = `postgresql://${dbUsername}:${dbPassword}@${this.clusterEndpoint.hostname}/${this.defaultDatabaseName}`

    if (this.prismaConnectionLimit) url += `?connection_limit=${this.prismaConnectionLimit}`

    return url
  }
d

Daniel Gato

02/18/2022, 4:37 PM
I’m assuming this code is in your lambda? How do you extract the username and password from your sst.RDS ?
m

Mischa Spiegelmock

02/18/2022, 4:37 PM
no it’s in CDK, i pass it as an env var to the lambda
I use the prisma ORM which expects a DATABSE_URL string
d

Daniel Gato

02/18/2022, 4:38 PM
Do you use the sst.RDS construct to create your database?
m

Mischa Spiegelmock

02/18/2022, 4:39 PM
i don’t
f

Frank

02/18/2022, 5:03 PM
d

Daniel Gato

02/18/2022, 5:04 PM
how did I miss this… Thanks
@Frank one thing that is confusing me, with RDS, I can have many tables by cluster right?
a

Ashishkumar Pandey

02/18/2022, 5:10 PM
yep, 1 cluster is 1 db with multiple tables.
d

Daniel Gato

02/18/2022, 9:09 PM
Is there need to add other permissions for this to work? I keep getting:
Copy code
AccessDeniedException: 
  User: arn:aws:sts::855659027122:assumed-role/dg-imac-xxx-core-realtimeLogConsumerServiceRoleC-1DSZ9HPI6CZOD/dg-imac-xxx-core-realtimeLogConsumer1BAE76E4-Dm6cPu8HKwSv 
  is not authorized to perform: 
  secretsmanager:GetSecretValue on resource: 
  arn:aws:secretsmanager:eu-central-1:855659027122:secret:AnalyticsRDSClusterSecretB1-WDS1YQ1WIwbO-rkrJNh because no identity-based policy allows the secretsmanager:GetSecretValue action
The function that is trying to read from the Database is attached to a Kinesis DataStream consumer
a

Ashishkumar Pandey

02/18/2022, 9:20 PM
this is how you should be using the RDS db in your functions - https://docs.serverless-stack.com/database#aurora-rds This looks like a permission issue to me.
d

Daniel Gato

02/18/2022, 9:25 PM
Yep, I followed the guide. I’m passing the
clusterArn
and
secretArn
as well as setting the permission to cluster. But still missing
secretsmanager:GetSecretValue
a

Ashishkumar Pandey

02/18/2022, 9:30 PM
beside the cluster permission grant, could you add ‘secretsmanager’ and check?
d

Daniel Gato

02/18/2022, 9:30 PM
I added
'secretsmanager:GetSecretValue',
and it works with it
a

Ashishkumar Pandey

02/18/2022, 9:31 PM
Haha, alright, guess the example missed it. 😅
f

Frank

02/18/2022, 10:18 PM
Hey @Daniel Gato can I see how you are setting the permission?
secretsmanager:GetSecretValue
should be added automatically.
d

Daniel Gato

02/18/2022, 10:51 PM
Copy code
const modelsStream = new KinesisStream(this, 'ModelsStream');

// ...

    modelsStream.addConsumers(this, {
      realtimeLogConsumer: {
        function: {
          handler: 'src/functions/realtimeLog.main',
          environment: {
            ANALYTICS_DATABASE_SECRET_ARN: this.analyticsDatabase.secretArn,
            ANALYTICS_DATABASE_CLUSTER_ARN: this.analyticsDatabase.clusterArn,
            IP_LOOKUP_TABLE_NAME: this.ipLookupTable.tableName,
          },
          permissions: [
            this.analyticsDatabase,
            this.ipLookupTable,
            'secretsmanager:GetSecretValue',
          ],
        },
      },
    });
f

Frank

02/19/2022, 9:04 AM
@Daniel Gato This is fixed in v0.65.4!
d

Daniel Gato

02/19/2022, 12:08 PM
Awesome, thanks. Will try a bit later today