Aws-secretsmanager-caching-extension - Cache server for AWS Secrets Manager

AWS Lambda Extension / Sidecar Container

Diagram cache server

Cache Server

The cache server is written in Golang and it uses the same code to run inside a lambda extension and to run the sidecar container. To be able to run the same extension in different lambda’s runtime, we needed a language that could generate a binary in the end, so we are able to execute the binary directly without caring about the lambda runtime language/version.

The server runs on port 8015 and receives the secret name and the refresh parameters. The refresh parameter is used to invalidate the cache.

How it works

Lambda Extension

Sequence Diagram lambda

Sidecar Container

Diagram cache server

Use Case

Use the cache server to retreive database password to connect to the database in different Lambda Runtimes.

Laravel Aurora Connector (https://github.com/cgauge/laravel-aurora-connector) library use this strategy.

Some implementation details can be found here: https://github.com/cgauge/laravel-aurora-connector/blob/main/src/PasswordResolver.php

Usage

Lambda Extension

# CloudFormation
AWSTemplateFormatVersion: '2010-09-09'
Transform: 'AWS::Serverless-2016-10-31'
Resources:
  function:
    Type: AWS::Serverless::Function
    Properties:
      Handler: index.handler
      Runtime: nodejs12.x
      CodeUri: function/.
      Layers:
        - arn:aws:lambda:eu-west-1:12345678:layer:secretsmanager-caching-extension:1

# Serverless Framework
functions:
  hello:
    handler: handler.hello
    layers:
        - arn:aws:lambda:eu-west-1:12345678:layer:secretsmanager-caching-extension:1

Sidecar Container

# Cloudformation
TaskDefinition:
  Type: 'AWS::ECS::TaskDefinition'
  Properties:
    ContainerDefinitions:
      - Name: Name of your service image
        Image: your.service.image/tag:version
        PortMappings:
          - ContainerPort: '80'
            
      - Name: CacheSecretsService
        Image: customergauge/aws-secretsmanager-caching-sidecar
        PortMappings:
          - ContainerPort: '8015'
    ...

Contributing

Contributions are always welcome, please have a look at our issues to see if there's something you could help with.

License

AWS Secrets Manager Caching Extension is licensed under LGPLv3 license.

Similar Resources

Copy your HashiCorp Vault secrets to a file

Vault Backup ⚠️ Check the oficial way to backup your HashiCorp Vault. Create a backup file of all HashiCorp Vault kv2 secrets. ./vault-backup -help

Dec 20, 2022

Watch and react to changes in Kubernetes TLS Secrets

cert-watch Watch and react to change in Kubernetes TLS Secrets. What is cert-watch? Kubernetes has introduced a number of different ways to keep certi

Feb 4, 2022

CLI based tools to find the secrets in docker Images

CLI based tools to find the secrets in docker Images

docker-secrets CLI based tools to find the secrets in docker Images This tool use detect-secrets to find the secrets in the docker Image file system P

Mar 22, 2022

kubectl plugin for generating nginx-ingress compatible basic-auth secrets on kubernetes clusters

kubectl-htpasswd kubectl plugin for easily generating hashed basic auth secrets. Supported hash algorithms bcrypt Examples Create the secret on the cl

Jul 17, 2022

Sample application accessing kubernetes secrets

Kubernetes secrets API example This git repo illustrates a small application which can access kubernetes secrets. Build small application To test the

Dec 19, 2021

Secret - Prevent your secrets from leaking into logs and std*

secret - Prevent your secrets from leaking into logs and std* The package provid

Dec 30, 2022

Racoon - Secrets are my thing

racoon - secrets are my thing Commands See racoon help or racoon --help for all

Feb 3, 2022

K8s-dotenv - Kubernetes Secrets and Configmaps to dot env file

k8s-dotenv A commandline tool to fetch, merge and convert secrets and config map

Apr 22, 2022

VaultOperator provides a CRD to interact securely and indirectly with secrets stored in Hashicorp Vault.

vault-operator The vault-operator provides several CRDs to interact securely and indirectly with secrets. Details Currently only stage 1 is implemente

Mar 12, 2022
Comments
  • Avoid map access concurrence

    Avoid map access concurrence

    Map access is unsafe only when updates are occurring. As long as all goroutines are only reading—looking up elements in the map, including iterating through it using a for range loop—and not changing the map by assigning to elements or doing deletions, it is safe for them to access the map concurrently without synchronization.

GO ABI for AWS Secrets-Manager

secrets-manager-cli GO ABI for AWS Secrets-Manager SDK Setup AWS Documentation Download (Source) go get github.com/aws/aws-sdk-go-v2/aws go get github

Nov 16, 2021
This repo contains example on how to consume secrets from Google Secret Manager from GKE

GKE Secret Manager. Environment setup This repo contains examples of how to consume secrets from Google Secret Manager (GSM) from Google Kubernetes En

Dec 5, 2022
Kubernetes OS Server - Kubernetes Extension API server exposing OS configuration like sysctl via Kubernetes API

KOSS is a Extension API Server which exposes OS properties and functionality using Kubernetes API, so it can be accessed using e.g. kubectl. At the moment this is highly experimental and only managing sysctl is supported. To make things actually usable, you must run KOSS binary as root on the machine you will be managing.

May 19, 2021
A plugin for running Open Policy Agent (OPA) in AWS Lambda as a Lambda Extension.

opa-lambda-extension-plugin A custom plugin for running Open Policy Agent (OPA) in AWS Lambda as a Lambda Extension. To learn more about how Lambda Ex

Jan 2, 2023
Terraform Provider for Azure (Resource Manager)Terraform Provider for Azure (Resource Manager)
Terraform Provider for Azure (Resource Manager)Terraform Provider for Azure (Resource Manager)

Terraform Provider for Azure (Resource Manager) Version 2.x of the AzureRM Provider requires Terraform 0.12.x and later, but 1.0 is recommended. Terra

Oct 16, 2021
Kubesecret is a command-line tool that prints secrets and configmaps data of a kubernetes cluster.

Kubesecret Kubesecret is a command-line tool that prints secrets and configmaps data of a kubernetes cluster. kubesecret -h for help pages. Install go

May 3, 2022
A k8s vault webhook is a Kubernetes webhook that can inject secrets into Kubernetes resources by connecting to multiple secret managers
A k8s vault webhook is a Kubernetes webhook that can inject secrets into Kubernetes resources by connecting to multiple secret managers

k8s-vault-webhook is a Kubernetes admission webhook which listen for the events related to Kubernetes resources for injecting secret directly from sec

Oct 15, 2022
Censors or hides shell / Bash / console output based on defined patterns - great for hiding secrets in demos!
Censors or hides shell / Bash / console output based on defined patterns - great for hiding secrets in demos!

censor-shell Installation go install Usage Make the file ~/.censor-shell as an INI file with the following content: [nameofmyreplacement] pattern = b

Nov 11, 2022
A CLI to sync configmaps and secrets in a kubernetes cluster

kube-sync Kube Sync is a CLI application to copy/sync configmaps and secrets from one namespace to another. Motivation While working with kubernetes,

Oct 15, 2022
Kubernetes Operator to sync secrets between different secret backends and Kubernetes

Vals-Operator Here at Digitalis we love vals, it's a tool we use daily to keep secrets stored securely. We also use secrets-manager on the Kubernetes

Nov 13, 2022