I want to configure my AWS Lambda function to connect to an Amazon Relational Database Service (Amazon RDS) database using Amazon RDS Proxy.
Short description
You can create an Amazon RDS Proxy database for your Lambda function. A database proxy manages a pool of database connections and relays queries from a function. This lets a function reach high concurrency levels without exhausting database connections.
For more information, see Configuring database access for a Lambda function.
Resolution
Follow these instructions to configure Amazon RDS Proxy with a Lambda function.
Note: Amazon RDS Proxy must be in the sameAmazon Virtual Private Cloud (Amazon VPC) as the Amazon RDS database. Configure the Lambda function with Amazon VPC to access the Amazon RDS Proxy.
Step 1: Create database credentials in AWS Secrets Manager
1.Open the Secrets Manager console, and then choose Store a new secret.
2.For Secret type, choose Credentials for RDS Database.
3.Enter the user name and password for your Amazon RDS database instance.
4.For Encryption key, choose the AWS Key Management Service (AWS KMS) key that Secrets Manager uses to encrypt the secret value**.**
5.For Database, choose your database, and then choose Next.
6.For Secret name, enter a name, choose Next, choose Next again, and then choose Store.
7.In Secrets, choose the Secrets Manager secret that you created.
8.In Secret ARN, copy the ARN to use in another step.
For more information, see Create an AWS Secrets Manager database secret.
Step 2: Create an AWS Identity and Access Management (IAM) policy and role for Amazon RDS Proxy
Create an IAM role with permission to use the secret, and then create a trust policy that allows Amazon RDS to assume the role.
Example IAM Secrets Manager policy
Note: Replace Secret_ARN with the Secrets Manager ARN that you previously copied**.**
{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "secretsmanager:GetResourcePolicy", "secretsmanager:GetSecretValue", "secretsmanager:DescribeSecret", "secretsmanager:ListSecretVersionIds" ], "Resource": [ "[Secret_ARN]" ] }, { "Sid": "VisualEditor1", "Effect": "Allow", "Action": [ "secretsmanager:GetRandomPassword", "secretsmanager:ListSecrets" ], "Resource": "*" } ]}
Example IAM RDS trust policy
{ "Version": "2012-10-17", "Statement": [ { "Sid": "", "Effect": "Allow", "Principal": { "Service": "rds.amazonaws.com" }, "Action": "sts:AssumeRole" } ]}
Step 3: Create and attach an RDS proxy to a Lambda function
1.Open the Functions page in the Lambda console.
2.In Functions, choose your Lambda function.
3.Choose Configuration, and then choose Add database proxies.
4.Enter the following variables:
Proxy identifier: The name of the proxy.
RDS DB instance: A supported MySQL or PostgreSQL DB instance or cluster.
Secret: The Secrets Manager that you created.
IAM role: The IAM role that you created.
Authentication: Choose Password to connect with database credentials or choose Execution role to use the function's IAM credentials for authentication.
5.Choose Add.
The proxy creation takes a few minutes to complete. When the proxy is available, configure your function to connect to the proxy endpoint instead of the database endpoint. For more information, see Creating a database proxy (console).
Step 4: (Optional) Confirm that your Amazon RDS Proxy is using IAM authentication
The following steps are required only if you're using the Lambda execution role to authenticate to Amazon RDS Proxy.
1. Open the Amazon RDS console.
2. In the navigation pane, choose Proxies, and then choose your proxy.
3. Choose Actions, and then choose Modify.
4. In Connectivity module, make sure that IAM Authentication is set to Required.
Note: If you experience connection issues, then seeWhy can't I connect to my Amazon RDS DB or Amazon Aurora DB instance using RDS Proxy?For more information, see Using Amazon RDS Proxy with AWS Lambda.
Related information
How do I configure a Lambda function to connect to an RDS instance?
)
