All classes are under active development and subject to non-backward compatible changes or removal in any future version. These are not subject to the Semantic Versioning model. This means that while you may use them, you may need to update your source code when upgrading to a newer version of this package.
| Reference Documentation: | https://docs.aws.amazon.com/solutions/latest/constructs/ |
|---|
| Language | Package |
|---|---|
 Python |
aws_solutions_constructs.aws_lambda_secretsmanager |
 Typescript |
@aws-solutions-constructs/aws-lambda-secretsmanager |
 Java |
software.amazon.awsconstructs.services.lambdasecretsmanager |
This AWS Solutions Construct implements the AWS Lambda function and AWS Secrets Manager secret with the least privileged permissions.
Here is a minimal deployable pattern definition in Typescript:
const { LambdaToSecretsmanagerProps, LambdaToSecretsmanager } from '@aws-solutions-constructs/aws-lambda-secretsmanager';
const props: LambdaToSecretsmanagerProps = {
lambdaFunctionProps: {
runtime: lambda.Runtime.NODEJS_14_X,
// This assumes a handler function in lib/lambda/index.js
code: lambda.Code.fromAsset(`${__dirname}/lambda`),
handler: 'index.handler'
},
};
new LambdaToSecretsmanager(this, 'test-lambda-secretsmanager-stack', props);new LambdaToSecretsmanager(scope: Construct, id: string, props: LambdaToSecretsmanagerProps);
Parameters
- scope
Construct - id
string - props
LambdaToSecretsmanagerProps
| Name | Type | Description |
|---|---|---|
| existingLambdaObj? | lambda.Function |
Existing instance of Lambda Function object, if this is set then the lambdaFunctionProps is ignored. |
| lambdaFunctionProps? | lambda.FunctionProps |
User provided props to override the default props for the Lambda function. |
| secretProps? | secretsmanager.SecretProps |
Optional user provided props to override the default props for Secrets Manager |
| existingSecretObj? | secretsmanager.Secret |
Existing instance of Secrets Manager Secret object, If this is set then the secretProps is ignored |
| grantWriteAccess? | boolean |
Optional write access to the Secret for the Lambda function (Read-Only by default) |
| secretEnvironmentVariableName? | string |
Optional Name for the Secrets Manager secret environment variable set for the Lambda function. |
| existingVpc? | ec2.IVpc |
An optional, existing VPC into which this pattern should be deployed. When deployed in a VPC, the Lambda function will use ENIs in the VPC to access network resources and an Interface Endpoint will be created in the VPC for AWS Secrets Manager. If an existing VPC is provided, the deployVpc property cannot be true. This uses ec2.IVpc to allow clients to supply VPCs that exist outside the stack using the ec2.Vpc.fromLookup() method. |
| vpcProps? | ec2.VpcProps |
Optional user-provided properties to override the default properties for the new VPC. enableDnsHostnames, enableDnsSupport, natGateways and subnetConfiguration are set by the pattern, so any values for those properties supplied here will be overrriden. If deployVpc is not true then this property will be ignored. |
| deployVpc? | boolean |
Whether to create a new VPC based on vpcProps into which to deploy this pattern. Setting this to true will deploy the minimal, most private VPC to run the pattern:
true then existingVpc cannot be specified. Defaults to false. |
| Name | Type | Description |
|---|---|---|
| lambdaFunction | lambda.Function |
Returns an instance of lambda.Function created by the construct |
| secret | secretsmanager.Secret |
Returns an instance of secretsmanager.Secret created by the construct |
| vpc? | ec2.IVpc |
Returns an interface on the VPC used by the pattern (if any). This may be a VPC created by the pattern or the VPC supplied to the pattern constructor. |
Out of the box implementation of the Construct without any override will set the following defaults:
- Configure limited privilege access IAM role for Lambda function
- Enable reusing connections with Keep-Alive for NodeJs Lambda function
- Enable X-Ray Tracing
- Set Environment Variables
- (default) SECRET_ARN containing the ARN of the secret as return by CDK secretArn property.
- AWS_NODEJS_CONNECTION_REUSE_ENABLED (for Node 10.x and higher functions)
- Enable read-only access for the associated AWS Lambda Function
- Enable server-side encryption using a default KMS key for the account and region
- Creates a new Secret
- (default) random name
- (default) random value
- Retain the Secret when deleting the CloudFormation stack
© Copyright 2021 Amazon.com, Inc. or its affiliates. All Rights Reserved.