Auto-generate CloudFormation with no-code and no commitment 🚀
Try Now

Build Aurora Serverless cluster with DataAPI and Secrets Manager

How to secure access to Aurora Serverless over DataAPI using Secrets Manager and IAM access policies in a few easy steps.
Yev Krupetsky

April 20 2021 · 3 min read

SHARE ON

Build Aurora Serverless cluster with DataAPI and Secrets Manager

In the previous post Build reliable and scalable applications with Amazon Aurora Serverless, we created an application with an Aurora Serverless cluster, an API and a Lambda function to work with the database. We saw how Altostra makes this process quick and easy.

You can now let Altostra create the secret and access policies that will store the password to the database and allow Lambda functions to access the database.

Why it matters

DataAPI is a significant feature of Aurora Serverless as it allows you to build better Serverless applications, avoiding tedious VPC network configurations and slow cold starts for Lambdas. By using Secrets Manager to store the database password, you get improved security.

Altostra solves a couple of major pain points by automating the whole process. First, it saves you a lot of time configuring secrets, policies and making sure they all work together. Most importantly, Altostra creates restricted access policies for each Lambda function to read the database secret and use the DataAPI endpoint. This reduces the risk of human errors and over permissive policies that can lead to security vulnerabilities.

How it works

When you add an Aurora Serverless Cluster resource to your infrastructure design, the default option is to use a managed secret.

database-resource-properties

In the resource’s properties, notice the Use Managed Secret toggle under the Password field. When turned on, Altostra will create an AWS Secrets Manager secret resource with a randomly generated password.

The secret’s ARN is now available as an environment variable in all Lambda functions connected to the database resource. We can then pass the environment variables to the data-api-client library.

lambda-code-side-by-side

During deployment, Altostra generates the following policies for every Lambda function connected to the database:

Allow the Lambda function to read the database secret value

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "secretsmanager:GetSecretValue"
      ],
      "Resource": {
        "Ref": "Database01Secret"
      }
    }
  ]
}

Allow the Lambda function to access the Aurora cluster over DataAPI

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Resource": {
        "Fn::Sub": [
          "arn:aws:rds:${AWS::Region}:${AWS::AccountId}:cluster:${clusterName}",
          {
            "clusterName": {
              "Ref": "Database01"
            }
          }
        ]
      },
      "Action": [
        "rds-data:ExecuteSql",
        "rds-data:ExecuteStatement",
        "rds-data:BatchExecuteStatement",
        "rds-data:BeginTransaction",
        "rds-data:RollbackTransaction",
        "rds-data:CommitTransaction"
      ]
    }
  ]
}

Important: Be aware that the use of AWS Secrets Manager secrets incurs additional costs. Refer to the AWS Secrets Manager pricing information for more information.

Next steps

Want to give it a try? We provide a free-forever plan for developers. Create your free account today at https://app.altostra.com.

Want to stay up to date with the latest Altostra news? Join our community on Discord.

We want to hear from you! Share your Altostra experience with us on Twitter @AltostraHQ and LinkedIn and any suggestions that can make your work with Altostra even better.

Happy coding!

By submitting this form, you are accepting our Terms of Service and our Privacy Policy

Thanks for subscribing!

Ready to Get Started?

Get Started for Free

Copyright © 2021 Altostra. All rights reserved.