Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Alternative to Secrets Manager for Signature #291

Closed
dashford opened this issue Jul 7, 2021 · 5 comments
Closed

Alternative to Secrets Manager for Signature #291

dashford opened this issue Jul 7, 2021 · 5 comments
Labels
question

Comments

@dashford
Copy link

dashford commented Jul 7, 2021

What is your question?

After deploying the image handler into one of our production environments we've noticed a large increase in Secrets Manager costs. We're wondering whether it's feasible to have an alternative where the signature is retrieved from the lambda's environment rather than from secrets manager directly as this would eliminate that cost increase.

I'd be happy to put a PR in place for that, I'm asking here just to check if that would be an acceptable submission?
@dashford
Copy link
Author

dashford commented Jul 8, 2021

Specifically we're thinking about two options:

  1. Move the secret fetching into global scope so that the value is retained between executions (following optimization tasks listed here). The knock on effect here is that the lambda would no longer fetch the updated secret as soon as its changed but maybe this is acceptable?

  2. Use a dynamic reference in the cloudformation template so that the secret is fetched from Secrets Manager at deploy time. A change of secret would require a re-deploy of the stack with an updated version ID.

Ideally these changes would be opt-in when a secret is chosen by the user so the considerations of changing the secret are known to the end user.

Let me know if either of these changes would be palatable for the team and we can look into them further.

@beomseoklee
Copy link
Member

@dashford thanks for your feedback. We'll put this one into our backlog.
Meanwhile, may I know how many requests you're making in a month?

@dashford
Copy link
Author

Hi @beomseoklee, thanks for responding. We're in the middle of moving over traffic to the image handler so approximately only 30% of image requests are going to the handler, the rest is still going to our previous solution.

Looking back over the last 30 days Cloudwatch is telling us we've made 54,031,008 requests to Secrets Manager.

@dashford
Copy link
Author

Hi @beomseoklee, do you have an update on this issue or its progress in your backlog? We should be able to provide a PR if that would speed up the fix?

@fisenkodv fisenkodv mentioned this issue Dec 21, 2021
Merged
@fisenkodv
Copy link
Contributor

@dashford we have updated our solution, the issue has been fixed. If you still see the issue with the latest version (v6.0.0), please feel free to reopen the issue.

You can refer to the recent changes here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@fisenkodv @dashford @beomseoklee