Cached SSM and Secrets Values for PHP Lambda on CDK
Managing secrets securely in AWS Lambda functions is crucial for maintaining the integrity and confidentiality of your applications. AWS provides services like AWS Secrets Manager and AWS Systems Manager Parameter Store to manage secrets. However, frequent retrieval of secrets can introduce latency and additional costs. To optimize this, we can cache secrets using a Lambda Extension.
Published Jul 17, 2024
Managing secrets securely in AWS Lambda functions is crucial for maintaining the integrity and confidentiality of your applications. AWS provides services like AWS Secrets Manager and AWS Systems Manager Parameter Store to manage secrets. However, frequent retrieval of secrets can introduce latency and additional costs. To optimize this, we can cache secrets using a Lambda Extension.
In this article, we will demonstrate how to use a pre-existing Lambda Extension to cache secrets for a PHP Lambda function using the Bref layer and AWS CDK for deployment.
On a high level, these are the components involved:
Using the AWS Parameter and Secrets Lambda extension to cache parameters and secretsThe new AWS Parameters and Secrets Lambda extension provides a managed parameters and secrets cache for Lambda functions. The extension is distributed as a Lambda layer that provides an in-memory cache for parameters and secrets. It allows functions to persist values through the Lambda execution lifecycle, and provides a configurable time-to-live (TTL) setting.When you request a parameter or secret in your Lambda function code, the extension retrieves the data from the local in-memory cache, if it is available. If the data is not in the cache or it is stale, the extension fetches the requested parameter or secret from the respective service. This helps to reduce external API calls, which can improve application performance and reduce cost.
- AWS Account
- AWS CLI configured
- AWS CDK installed
- PHP installed
- Composer installed
If you have Docker, all requirements are being installed by it.
The code for this project is available in the following GitHub repository: rafaelbernard/serverless-patterns. The relevant files are located in the
lambda-extension-ssm-secrets-cdk-php
folder.First, clone the repository and navigate to the relevant directory:
The project structure is as follows:
The main logic for fetching and caching secrets is in
php/handlers/lambda.php
:The AWS CDK stack is defined in
cdk/cdk-stack.ts
:Make sure you have already AWS variables set and run below command to install required dependancies:
# Using docker -- check run-docker.sh
make up
or
# Using local
npm ci
cd php && composer install --no-scripts && cd -
After that, you will have all dependencies installed. Deploy it executing:
# Using docker
make deploy
or
# Using local
npm run deploy
The CDK output will have the Lambda function URL, which you can use to test and retrieve the values:
Outputs:
LambdaExtensionSsmSecretsCdkPhpStack.LambdaUrl = https://keamdws766oqzr6dbiindaix3a0fdojb.lambda-url.us-east-1.on.aws/
You should see the secret value and parameter value returned by the Lambda function. Subsequent invocations should retrieve the values from the cache, reducing latency and cost.
{
"status": "OK",
"/lambdaextensionssmsecretscdkphpstack/ssm/param": "the-value-here",
"TemplatedSecret3D98B577-4jOWSbUMCHmF": {
"password": "!o9GpBzpa>dYdo.Gx3J2!<zd(s-Fg;ev",
"username": "postgres"
}
}
A similar example application written in Python performed three tests, reducing API calls ~98%. I am quoting their findings, as the benefits are the same for this PHP Lambda:
To evaluate the performance benefits of the Lambda extension cache, three tests were run using the open source tool Artillery to load test the Lambda function.config:
target: "https://lambda.us-east-1.amazonaws.com"
phases:
-
duration: 60
arrivalRate: 10
rampTo: 40Test 1: The extension cache is disabled by setting the TTL environment variable to 0. This results in 1650 GetParameter API calls to Parameter Store over 60 seconds.
Test 2: The extension cache is enabled with a TTL of 1 second. This results in 106 GetParameter API calls over 60 seconds.
Test 3: The extension is enabled with a TTL value of 300 seconds. This results in only 18 GetParameter API calls over 60 seconds.In test 3, the TTL value is longer than the test duration. The 18 GetParameter calls correspond to the number of Lambda execution environments created by Lambda to run requests in parallel. Each execution environment has its own in-memory cache and so each one needs to make the GetParameter API call.In this test, using the extension has reduced API calls by ~98%. Reduced API calls results in reduced function execution time, and therefore reduced cost.
To delete the stack, run:
make bash
npm run destroy
In this article, we demonstrated how to use a pre-existing Lambda Extension to cache secrets for a PHP Lambda function using the Bref layer and AWS CDK for deployment. By caching secrets, we can improve the performance and reduce the cost of our serverless applications. The approach detailed here can be adapted to various use cases, enhancing the efficiency of your AWS Lambda functions.
For more information on the Parameter Store, Secrets Manager, and Lambda extensions, refer to:
For more serverless learning resources, visit Serverless Land.