https://serverless-stack.com/ logo
Join Slack
Powered by
Anyone else using CDK w/ Secrets Manager + RDS + L...
# help
d
Anyone else using CDK w/ Secrets Manager + RDS + Lambda? We just clicked the "rotate secret" button, and discovered that our Lambdas did not see the new secret. I'm stunned. We redeployed and it still didn't update. Today, we use environment variables to give the secrets to our lambas. Does anyone use the AWS SDK to directly fetch secrets from Secrets manager?
f
Hi @Drew, what do the deploy log say?
Do u see something like this for the RDS stack?
Copy code
your-stack-name (no changes)
t
I use the sdk to fetch secrets directly in lambda. I actually even cache them and setInterval to update them every minute or so. Also did some funky stuff with 
deasync
to prevent lambda from being invoked before secrets are fetched. I don't think passing through env vars is recommended as it negates some of the security reasons to use secrets manager in the first place
r
We do the same as @thdxr except we cache as long as lambda is warm. If we need to force an update we would redeploy
d
@Frank ooh, i'll look
@thdxr ++ good idea
@Frank yes, it does say no changes
o
Are you using secrets manager in lambda’s backing API calls? I’ve heard latency on getting secrets can be pretty bad? I guess caching is the only solution
d
Yeah, if we switch to fetching secrets in our Lambdas, then we'll have longer "cold starts" since we'll need to get the secrets before we'll be ready
r
Worth benchmarking before you declare it a problem.
For us it adds about 100ms to a cold start
d
Awesome, that's not too bad. Our cold starts are annoying, but that's a problem for later. 😄
t
I'm actually thinking about using SSM for this instead. More free but need to investigate the exact difference. Problem with secrets manager is you can't fetch multiple in one call afaik. Right now putting everything in one secret
r
I should have said, for clarity, this is for Parameter Store encrypted parameters
a
I’m using SSM but the parameters are fetched during compile/deployment time, so if those changes then I need to re-deploy the lambdas.
So I been investigating and have a new idea in mind.. I’m going to continue using SSM, but going to create a new lambda which can listen EVENTS triggered by the AWS SSM platform, like “key value has changed”. Then when this event is triggered, a lambda is going to be executed and update all the other lambdas.
I don’t want to fetch SSM parameters on runtime due this is going to increase my response time and I want to have quick lambdas.
Also my parameters doesn’t change everyday, we only rotate them once 3 months or something.
This is a “event driven” approach.
d
That’s pretty cool @Adrián Mouly — is there a moment that the service is unavailable while the lambdas are updated?
a
@Drew no it shouldn’t due this is hot swap done by AWS.
I mean, maybe couple of seconds.
I mean, once you rotate the SSM value I mean, the old one might be invalid?
d
Yeah, it probably becomes invalid.
a
I would recommend to do this during maintenance window anyway.
d
The old existing connections would stay open
And yeah, if we do this during low traffic, then it’s pretty mellow
a
Depending which value are you storing… I use this to rotate SQL user/pass.. maybe you can create a new user/pass every time, and delete old one once upgraded.
Oh yeah, open connection would be good to keep them with the approach I just mentioned.
You can create user/pass once in a while, then you keep 2 users, and after migration is done you can delete the old one.
t
Fetching parameters during runtime won't cause your avg response time to be slower, only cold starts. Remember not every invocation results in a cold start. Would recommend fetching on start and caching
r
I agree with @thdxr, this feels like premature optimisation. For us it's an added 90-100ms on a cold start. Also, you say you need to do this in a maintenance window so why add all that complexity when you could just redeploy?
Open in Slack
PreviousNext
Powered by