英文:
Reset cache in AWS Lambda when AWS Secrets Manager secret value is updated
问题
我正在使用AWS Secrets Manager来存储机密,并在我的一个AWS Lambda函数中使用它。AWS还提供了<code>AWSSDK.SecretsManager.Caching</code>库以提高性能并降低成本。我还开始使用它,设置了较长的缓存生命周期(1天)。
接下来,当机密值发生更改时,我需要立即重置缓存。
现在,我的问题是,Lambda如何被通知需要重置缓存?
英文:
I am using AWS Secrets Manager for storing secrets and use it in one of my AWS Lambda functions. AWS also provides <code>AWSSDK.SecretsManager.Caching</code> library to improve performance and reduce costs. I also start using it with a long caching lifetime (1 day).
The next step is, when the secret value will be changed, I need to reset the cache immediately.
Now, my question is, how can Lambda be notified that it needs to reset the cache?
答案1
得分: 1
这可能在无服务器函数中有些棘手。
如果旋转时间是可预测的,那么将密钥的过期时间与密钥一起存储为一对,Lambda函数可以根据需要丢弃并重新获取过期时的密钥。
如果密钥在任意时间发生旋转,那么要么:
- 加强 Lambda 函数以处理具有错误密钥值的后果(例如,数据库连接可能失败,触发 Lambda 函数重新获取密钥并重试连接)。
- 维护某种状态,例如在 DynamoDB 中,当密钥发生旋转时能高效更新,这样 Lambda 函数可以在每次使用缓存的密钥前查询这个状态。
英文:
This can be tricky with serverless functions.
If the rotation time is predicable then store the expiration time of the secret along with the secret as a pair, then the Lambda function can discard and re-fetch the secret as needed when it's expired.
If key rotation happens at arbitrary times, then either:
- enhance the Lambda function to deal with the consequences of having a bad secret value (e.g. a DB connection might fail triggering the Lambda function to re-fetch the secret and retry the connection)
- maintain some kind of state e.g. in DynamoDB that's efficient to update when a secret is rotated so that the Lambda function can query this state any time it's about to use the cached secret
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论