Using Secrets Manager to Authenticate with an RDS Database Using Lambda

Introduction

AWS Secrets Manager helps you protect the secrets needed to access your applications, services, and IT resources. The service enables you to easily rotate, manage, and retrieve database credentials, API keys, and other secrets throughout their lifecycle. In this lab, we connect to a MySQL RDS database from an AWS Lambda function using a username and password, and then we hand over credential management to the AWS Secrets Manager service. We then use the Secrets Manager API to connect to the database instead of hard-coding credentials in our Lambda function. By the end of this lab, you will understand how to store a secret in AWS Secrets Manager and access it from a Lambda function.

Solution

Log in to the live AWS environment using the credentials provided. Use an incognito or private browser window to ensure you’re using the lab account rather than your own.

Make sure you’re in the N. Virginia (us-east-1) region throughout the lab.

Download the MySQL Library ZIP file you’ll need for the first lab objective.

Create Lambda Function

1. Navigate to Lambda > Functions.
2. Click Create function.
3. Make sure the Author from scratch option at the top is selected, and then use the following settings:
   • Function name: Enter testRDS.
   • Runtime: Select Node.js 14.x.
4. Expand Advanced settings, and set the following values:
   • Enable VPC: Check the box.
   • VPC: Select the lab-provided VPC.
   • Subnets: Enter Public and select the two subnets that have Public in their name/ID.
   • Security groups: Select the lab-provided Database-Security-Group security group (not the default security group).
5. Click Create function.
   • It may take 5–10 minutes to finish creating.
6. Click the Configuration tab.
7. Click Edit.
8. Under Timeout, change it to 6 seconds.
9. Click Save.
10. In the left-hand menu, click Layers.
11. Click Create layer.
12. Set the following values:
    • Name: Enter mysql.
    • Upload a .zip file: Click Upload and upload the MySQL Library ZIP file you downloaded earlier.
    • Compatible runtimes: Node.js 14.x
13. Click Create.
14. Click Functions in the left-hand menu.
15. Click your testRDS function.
16. In the Function overview section, click Layers under testRDS.
17. In the Layers section, click Add a layer.
18. Select Custom layers, and set the following values:
    • Custom layers: Select mysql.
    • Version: Select 1.
19. Click Add.

Copy Code into Lambda Function

1. In the Code source section, expand testRDS > index.js.
2. Select the existing code in the index.js tab and replace it with the following:var mysql = require('mysql'); exports.handler = (event, context, callback) => { var connection = mysql.createConnection({ host: "<RDS Endpoint>", user: "username", password: "password", database: "example", }); connection.query('show tables', function (error, results, fields) { if (error) { connection.destroy(); throw error; } else { // connected! console.log("Query result:"); console.log(results); callback(error, results); connection.end(function (err) { callback(err, results);}); } }); };
3. In a new browser tab, navigate to RDS > DB Instances.
4. Click the listed database.
5. Copy the endpoint (in the Connectivity & security section) and paste it into a plaintext file (you’ll need it a couple times during the lab).
6. Back in the Lambda function code, replace <RDS Endpoint> on line 6 with the endpoint you just copied.
7. Click Deploy.
8. Click Test.
9. In the Configure test event dialog, enter an Event name of test.
10. Click Save.
11. Click Test again.
    • The Response should only be two square brackets, which is correct since we don’t have any tables defined in this database.
12. Click the index.js tab.
13. Replace line 12 with the following:connection.query('CREATE TABLE pet (name VARCHAR(20), species VARCHAR(20))',function (error, results, fields) {
14. Click Deploy.
15. Click Test.
    • This time, the Response should have information within curly brackets.
16. Click the index.js tab.
17. Undo the code change (Ctrl+Z or Cmd+Z) to get it back to the original code we pasted in.
18. Click Deploy.
19. Click Test.
    • This time, we should see the pet table listed in the Response.

Create a Secret in Secrets Manager

1. In a new browser tab, navigate to Secrets Manager.
2. Click Store a new secret.
3. With Credentials for Amazon RDS database selected, set the following values:
   • User name: Enter username.
   • Password: Enter password.
   • Encryption key: Leave as the default.
   • Database: Select the listed DB instance.
4. Click Next.
5. On the next page, give it a Secret name of RDScredentials.
6. Leave the rest of the defaults, and click Next.
7. On the next page, set the following values:
   • Automatic rotation: Toggle to enable it.
   • Schedule expression builder: Select.
   • Time unit: Change it to Days, 1.
   • Create a rotation function: Select.
   • SecretsManager: Enter rotateRDS.
   • Use separate credentials to rotate this secret: Select No.
8. Click Next.
9. In the Sample code section, ensure the region is set to us-east-1.
10. Click Store.
    • It may take 5–10 minutes to finish the configuration.
11. Once it’s done, click RDScredentials.
12. In the Secret value section, click Retrieve secret value.
    • You should see the password is now a long string rather than password.
    • If yours still says password, give it a few minutes and refresh the page. Your Lambda function may still be in the process of getting set up.
13. Back in the Lambda function, click Test.
    • You will see errors saying access is denied because the password has changed.
14. Click the index.js tab.
15. Select all the code and replace it with the following:var mysql = require('mysql'); var AWS = require('aws-sdk'), region = "us-east-1", secretName = "RDScredentials", secret, decodedBinarySecret; var client = new AWS.SecretsManager({ region: "us-east-1" }); exports.handler = (event, context, callback) => { client.getSecretValue({SecretId: secretName}, function(err, data) { if (err) { console.log(err); } else { // Decrypts secret using the associated KMS CMK. // Depending on whether the secret is a string or binary, one of these fields will be populated. if ('SecretString' in data) { secret = data.SecretString; } else { let buff = new Buffer(data.SecretBinary, 'base64'); decodedBinarySecret = buff.toString('ascii'); } } var parse = JSON.parse(secret); var password = parse.password; var connection = mysql.createConnection({ host: "<RDS Endpoint>", user: "username", password: password, database: "example", }); connection.query('show tables', function (error, results, fields) { if (error) { connection.destroy(); throw error; } else { // connected! console.log("Query result:"); console.log(results); callback(error, results); connection.end(function (err) { callback(err, results);}); } }); }); };
16. Replace <RDS Endpoint> with the value you copied earlier.
17. Click Deploy.