Skip to content

Commit 61ee44e

Browse files
Lambda extension example script instructions (#21)
*Issue #, if available:* *Description of changes:* Instructions for using the example script secrets-manager-agent-extension.sh to install the agent as a Lambda extension. By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license. --------- Co-authored-by: Simon Marty <[email protected]>
1 parent 994fe63 commit 61ee44e

File tree

1 file changed

+39
-10
lines changed

1 file changed

+39
-10
lines changed

README.md

Lines changed: 39 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -19,8 +19,8 @@ To download the source code, see [https://github\.com/aws/aws\-secretsmanager\-a
1919
- [\[ Cross-compile natively \]](#-cross-compile-natively-)
2020
- [\[ Cross compile with Rust cross \]](#-cross-compile-with-rust-cross-)
2121
- [Step 2: Install the Secrets Manager Agent](#step-2-install-the-secrets-manager-agent)
22-
- [\[ Amazon EKS and Amazon ECS \]](#-amazon-eks-and-amazon-ecs-)
23-
- [\[ Docker \]](#-docker-)
22+
- [\[ Amazon EC2 \]](#-amazon-ec2-)
23+
- [\[ Running as a Container Sidecar \]](#-running-as-a-container-sidecar-)
2424
- [\[ AWS Lambda \]](#-aws-lambda-)
2525
- [Step 3: Retrieve secrets with the Secrets Manager Agent](#step-3-retrieve-secrets-with-the-secrets-manager-agent)
2626
- [\[ curl \]](#-curl-)
@@ -135,7 +135,7 @@ cross build --release --target x86_64-pc-windows-gnu
135135
Based on the type of compute, you have several options for installing the Secrets Manager Agent\.
136136

137137
------
138-
#### [ Amazon EKS and Amazon ECS ]
138+
#### [ Amazon EC2 ]
139139

140140
**To install the Secrets Manager Agent**
141141

@@ -150,7 +150,7 @@ Based on the type of compute, you have several options for installing the Secret
150150
```
151151

152152
------
153-
#### [ Docker ]
153+
#### [ Running as a Container Sidecar ]
154154

155155
You can run the Secrets Manager Agent as a sidecar container alongside your application by using Docker\. Then your application can retrieve secrets from the local HTTP server the Secrets Manager Agent provides\. For information about Docker, see the [Docker documentation](https://docs.docker.com)\.
156156

@@ -217,17 +217,46 @@ You must load AWS credentials and the SSRF token for the application to be able
217217
------
218218
#### [ AWS Lambda ]
219219

220-
You can package the Secrets Manager Agent as an AWS Lambda extension\. Then you can add it to your Lambda function as a layer and call the Secrets Manager Agent from your Lambda function to get secrets\. For an example script that shows how to run the Secrets Manager Agent as an extension, see `secrets-manager-agent-extension.sh` in [https://github\.com/aws/aws\-secretsmanager\-agent](https://github.com/aws/aws-secretsmanager-agent)\.
220+
You can [package the Secrets Manager Agent as an AWS Lambda extension](https://docs.aws.amazon.com/lambda/latest/dg/packaging-layers.html)\. Then you can [add it to your Lambda function as a layer](https://docs.aws.amazon.com/lambda/latest/dg/adding-layers.html) and call the Secrets Manager Agent from your Lambda function to get secrets\.
221+
222+
The following instructions show how to get a secret named *MyTest* by using the example script `secrets-manager-agent-extension.sh` in [https://github\.com/aws/aws\-secretsmanager\-agent](https://github.com/aws/aws-secretsmanager-agent) to install the Secrets Manager Agent as a Lambda extension\.
221223

222224
**To create a Lambda extension that packages the Secrets Manager Agent**
223225

224-
1. Create a ZIP file with the Secrets Manager Agent binary\. For instructions, see [Packaging your layer content](https://docs.aws.amazon.com/lambda/latest/dg/packaging-layers.html) in the *AWS Lambda Developer Guide*\.
226+
1. Create a Python Lambda function that queries `http://localhost:2773/secretsmanager/get?secretId=MyTest` to get the secret\. Be sure to implement retry logic in your application code to accommodate delays in initialization and registration of the Lambda extension\.
225227

226-
1. Create a Lambda layer from the ZIP file\. For instructions, see [Creating layers](https://docs.aws.amazon.com/lambda/latest/dg/creating-deleting-layers.html) in the *AWS Lambda Developer Guide*\.
228+
1. From the root of the Secrets Manager Agent code package, run the following commands to test the Lambda extension\.
227229

228-
1. Add the layer to your Lambda function\. For instructions, see [Adding layers to functions](https://docs.aws.amazon.com/lambda/latest/dg/adding-layers.html) in the *AWS Lambda Developer Guide*\.
230+
```sh
231+
AWS_ACCOUNT_ID=<AWS_ACCOUNT_ID>
232+
LAMBDA_ARN=<LAMBDA_ARN>
233+
234+
# Build the release binary
235+
cargo build --release --target=x86_64-unknown-linux-gnu
236+
237+
# Copy the release binary into the `bin` folder
238+
mkdir -p ./bin
239+
cp ./target/x86_64-unknown-linux-gnu/release/aws_secretsmanager_agent ./bin/secrets-manager-agent
240+
241+
# Copy the `secrets-manager-agent-extension.sh` script into the `extensions` folder.
242+
mkdir -p ./extensions
243+
cp aws_secretsmanager_agent/examples/example-lambda-extension/secrets-manager-agent-extension.sh ./extensions
244+
245+
# Zip the extension shell script and the binary
246+
zip secrets-manager-agent-extension.zip bin/* extensions/*
247+
248+
# Publish the layer version
249+
LAYER_VERSION_ARN=$(aws lambda publish-layer-version \
250+
--layer-name secrets-manager-agent-extension \
251+
--zip-file "fileb://secrets-manager-agent-extension.zip" | jq -r '.LayerVersionArn')
252+
253+
# Attach the layer version to the Lambda function
254+
aws lambda update-function-configuration \
255+
--function-name $LAMBDA_ARN \
256+
--layers "$LAYER_VERSION_ARN"
257+
```
229258

230-
1. In your Lambda function code, you can now use the Secrets Manager Agent to retrieve secrets\. For more information, see [Step 3: Retrieve secrets with the Secrets Manager Agent](#secrets-manager-agent-call)\.
259+
1. Invoke the Lambda function to verify that the secret is being correctly fetched\.
231260

232261
------
233262

@@ -330,4 +359,4 @@ You can configure logging in the [Configuration file](#secrets-manager-agent-con
330359

331360
For an agent architecture, the domain of trust is where the agent endpoint and SSRF token are accessible, which is usually the entire host\. The domain of trust for the Secrets Manager Agent should match the domain where the Secrets Manager credentials are available in order to maintain the same security posture\. For example, on Amazon EC2 the domain of trust for the Secrets Manager Agent would be the same as the domain of the credentials when using roles for Amazon EC2\.
332361

333-
Security conscious applications that are not already using an agent solution with the Secrets Manager credentials locked down to the application should consider using the language\-specific AWS SDKs or caching solutions\. For more information, see [Get secrets](https://docs.aws.amazon.com/secretsmanager/latest/userguide/retrieving-secrets.html)\.
362+
Security conscious applications that are not already using an agent solution with the Secrets Manager credentials locked down to the application should consider using the language\-specific AWS SDKs or caching solutions\. For more information, see [Get secrets](https://docs.aws.amazon.com/secretsmanager/latest/userguide/retrieving-secrets.html)\.

0 commit comments

Comments
 (0)