Secrets Manager API vs Lambda Extension

More than one and half year ago, the launch of the AWS Parameters and Secrets Lambda Extension was announced.

This extension allows you to retrieve secrets and parameters from AWS Secrets Manager and AWS Systems Manager, respectively, without using the APIs. By doing so, you can avoid the associated costs and the need to manage the caching of values manually.

Using these extensions instead of the APIs should allow you to improve performance and decrease costs.

Is that true?

Let's find out!

The tool for the test: AWS Lambda Power Tuning

AWS Lambda Power Tuning is a user-friendly and open-source tool that helps you to improve the performance of your Lambda functions.

You simply specify the Lambda function you want to enhance and the memory values you want to test. Then, the tool runs multiple versions of your function with different memory settings. It measures their execution time and calculates the associated costs, providing insights into performance improvements.

You can find comprehensive documentation on how to deploy and execute AWS Lambda Power Tuning at the related gitHub repository.

The test

For this test, I have created two lambdas:

getSecretWithSecretsManagerAPI: it retrieves the secret using the Secrets Manager API (sdk v3).
getSecretWithLambdaExtension: it retrieves the secret using the Secrets Lambda Extension.

Both functions:

Use nodejs20.x runtime
Use arm64 architecture
Are deployed in eu-west-1 region

To perform the test, I configured and executed an AWS Step Functions state machine. The state machine allowed me to specify memory values to allocate to the Lambda functions. I chose to run the state machine for memory values ranging from 128 MB to 3008 MB.
After running the state machine once for each Lambda function, I used the tool's UI to compare the results.

A note: While understanding AWS Step Functions is not necessary for comprehending the results of this article, it's worth mentioning how the test was conducted for transparency. The focus here is on interpreting the test results rather than the technical details of the testing process.

The results

The execution time for the lambda that retrieves the secret using the Secrets Manager API varies from 46 seconds with 128 MB to 24 seconds with 512 MB. Beyond 512 MB, the execution time remains more or less stable at 24 seconds.

On the other hand, the execution time for the lambda that retrieves the secret using Lambda Extension ranges from 23 milliseconds with 128 MB to 5 seconds with 512 MB. Beyond 512 MB, the execution time remains stable at around 5 seconds.

The test confirms the expectations: the lambda that retrieves the secret using Lambda Extension is always more performant and cheaper than the lambda that retrieves the secret using Secrets Manager API.

Below are two tables comparing the execution time and costs for the two functions.

Execution Time Table

Memory Allocation	getSecretWithSecretsManagerAPI	`getSecretWithLambdaExtension`
128 MB	46ms	23ms
256 MB	25ms	16ms
512 MB	24ms	5ms
1024 MB	24ms	5ms
1536 MB	25ms	5ms
3008 MB	24ms	5ms

On average, the Lambda function that uses Lambda Extension to retrieve the secret is 282% faster than the one using the Secrets Manager API.

Costs Table

Memory Allocation	getSecretWithSecretsManagerAPI	`getSecretWithLambdaExtension`
128 MB	0.000000078$	0.000000041$
256 MB	0.000000085$	0.000000054$
512 MB	0.000000163$	0.000000034$
1024 MB	0.00000033$	0.000000068$
1536 MB	0.00000051$	0.000000102$
3008 MB	0.000001$	0.00000024$

On average, the Lambda that uses Lambda Extension to retrieve the secret is 271% cheaper than the one using Secrets Manager API.

Conclusions

At the beginning of the article we aimed to answer to the question:

Is it true that using Lambda Extensions will improve performance and decrease costs?

The test show that yes, using Lambda Extension for retrieving secrets from Secrets Manager is consistently faster and more cost-effective across different memory configurations.

That's all folks! 🚀

Site Terms, Privacy, and more.