Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

(lambda): Make it easy to use "AWS Parameters and Secrets Lambda Extension" with Lambda Functions #23187

Closed
1 of 2 tasks
blimmer opened this issue Nov 30, 2022 · 6 comments · Fixed by #25725 or #25928
Closed
1 of 2 tasks

(lambda): Make it easy to use "AWS Parameters and Secrets Lambda Extension" with Lambda Functions #23187

blimmer opened this issue Nov 30, 2022 · 6 comments · Fixed by #25725 or #25928
Assignees
@kaizencc @colifran
Labels
@aws-cdk/aws-lambda Related to AWS Lambda effort/medium Medium work item – several days of effort feature-request A feature should be added or improved. in-progress This issue is being actively worked on. p1

Comments

@blimmer
Copy link
Contributor

blimmer commented Nov 30, 2022

Describe the feature

The AWS Parameters and Secrets Lambda Extension is a great way to securely fetch Secrets Manager Secrets from Lambda functions. Today, I have to reference the documentation and hard-code the Layer ARN from this table to add the layer to my function.

It would be nice if there were a convenience method that automatically determined the proper ARN for the Lambda's architecture and deployment region. It would also be great if the available configuration environment variables were able to be set via CDK.

Use Case

A common pattern for exposing Secrets Manager secrets to Lambda functions is by setting them as environment variables. However, this is insecure because the variable is set in plain text in the console. Additionally, updates to the secret outside of CloudFormation do not update the environment variable. Recent versions of CDK warn you about this, requiring an explicit call to unsafeUnwrap on the Secret.

One way to work around this issue is to call the Secrets Manager API (e.g. via aws-sdk) in your Lambda function. However, this can get expensive because it results in a lot of retrievals of secret values. You then have to implement your own caching behavior if you want to reduce cost.

The AWS Parameters and Secrets Lambda Extension solves both of these problems. The secret is fetched at runtime and it handles caching for you automatically.

Proposed Solution

const myFunc = new lambda.Function(this, 'Function', {
  // existing parameters
});
myFunc.attachParametersAndSecretsExtension();

Then, the logic for the function would look something like (pseudocode):

interface ParametersAndSecretsExtensionConfig {
  parametersSecretsExtensionCacheEnabled?: boolean
  parametersSecretsExtensionCacheSize?: number
  // and the rest of the config properties from: https://docs.aws.amazon.com/secretsmanager/latest/userguide/retrieving-secrets_lambda.html#retrieving-secrets_lambda_env-var
}

class Function {
  // existing logic

  attachParametersAndSecretsExtension(config: ParametersAndSecretsExtensionConfig = {}) {
    this.addLayers(this.getParametersAndSecretsExtensionLayerArn);

    for (const configKey in config) {
      this.addEnvironment(constantCase(configKey), config[configKey].toString());
    }
  }

  private getParametersAndSecretsExtensionLayerArn(): ILayerVersion {
    // logic similar to https://github.com/aws/aws-cdk/blob/f2855dc12b1ff2c1a24f6fbd9de20d9b7079127a/packages/@aws-cdk/region-info/build-tools/fact-tables.ts#L244
    // it returns the proper layer for the region and architecture of the lambda
    const layerArn = lookupArnFromFactTable(this.architecture);

    return LayerVersion.fromLayerArn(layerArn)
  }
}

Other Information

No response

Acknowledgements

  • I may be able to implement this feature request
  • This feature might incur a breaking change

CDK version used

2.53.0

Environment details (OS name and version, etc.)

MacOS, TypeScript
@blimmer blimmer added feature-request A feature should be added or improved. needs-triage This issue or PR still needs to be triaged. labels Nov 30, 2022
@github-actions github-actions bot added the @aws-cdk/aws-lambda Related to AWS Lambda label Nov 30, 2022
@peterwoodworth
Copy link
Contributor

Thanks for this feature request @blimmer, this would be an excellent feature for us to support!

I am marking this issue as p2, which means that we are unable to work on this immediately.

We use +1s to help prioritize our work, and are happy to revaluate this issue based on community feedback. You can reach out to the cdk.dev community on Slack to solicit support for reprioritization.

Check out our contributing guide if you're interested in contributing yourself - I'd love to see what you come up with 🙂

@peterwoodworth peterwoodworth added p2 effort/medium Medium work item – several days of effort and removed needs-triage This issue or PR still needs to be triaged. labels Dec 5, 2022
@watany-dev
Copy link
Contributor

I want this feature so I will work on this.

@github-actions github-actions bot added p1 and removed p2 labels Apr 23, 2023
@github-actions
Copy link

This issue has received a significant amount of attention so we are automatically upgrading its priority. A member of the community will see the re-prioritization and provide an update on the issue.

@colifran colifran self-assigned this May 19, 2023
@colifran colifran added the in-progress This issue is being actively worked on. label May 21, 2023
@colifran colifran mentioned this issue May 24, 2023
Merged
@mergify mergify bot closed this as completed in 7a74513 Jun 8, 2023
@mrgrain mrgrain reopened this Jun 9, 2023
@mrgrain
Copy link
Contributor

mrgrain commented Jun 9, 2023

#25725 has to be reverted.

@aws aws deleted a comment from github-actions bot Jun 9, 2023
@colifran colifran mentioned this issue Jun 10, 2023
Merged
@mergify mergify bot closed this as completed in #25928 Jun 12, 2023
mergify bot pushed a commit that referenced this issue Jun 12, 2023
@colifran
feat(lambda): provide support for AWS Parameters and Secrets Extensio…
4a3903f 
…n for Lambda (#25928)

This PR provides support for the AWS Parameters and Secrets Extension for Lambda functions. This extension will allow users to retrieve and cache AWS Secrets Manager secrets and AWS Parameter Store parameters in Lambda functions without using an SDK.

Note: Previous PR results in the go build breaking. This removed the circular dependency causing the go build to break:

```
[jsii-pacmak] [INFO] Found 1 modules to package
[jsii-pacmak] [INFO] Packaging NPM bundles
[jsii-pacmak] [INFO] Loading jsii assemblies and translations
[jsii-pacmak] [INFO] Packaging 'go' for aws-cdk-lib
[jsii-pacmak] [INFO] go finished
[jsii-pacmak] [INFO] Packaged. go (54.9s) | npm pack (5.4s) | load jsii (0.5s) | cleanup (0.0s)
```

Closes #23187

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
@github-actions
Copy link

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

@WilliamTepet
Copy link

WilliamTepet commented Oct 2, 2024
edited
Loading

Currently this feature works like a charm, however, it does not support Cross Account SSM parameter retrieval, could that be supported any time soon?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@kaizencc kaizencc

@colifran colifran

Labels
@aws-cdk/aws-lambda Related to AWS Lambda effort/medium Medium work item – several days of effort feature-request A feature should be added or improved. in-progress This issue is being actively worked on. p1
Projects
None yet
Milestone
No milestone
7 participants
@mrgrain @blimmer @WilliamTepet @kaizencc @peterwoodworth @watany-dev @colifran