英文:
AWS lambda refreshing external token and storing it
问题
关于检索和存储每小时过期的外部身份验证令牌的AWS问题:
问题:我们的服务需要连接到一个API进行身份验证。目前,这是通过一个每小时过期的令牌来实现的。我们想知道存储这个密钥并检索它的最佳方法。目前,Lambda中的代码仅为每个交易获取此身份验证令牌,因为我们处于开发环境,每天进行1-2次调用,但随着我们为生产环境做准备,我们将考虑扩展规模。
以下是我们考虑的一些解决方案,很高兴听到如何改进、不同的解决方案或您在项目中的做法:
解决方案1:我们有一个定期运行的Lambda,每小时运行一次,以刷新AWS秘密管理器中的令牌值,Lambda在进行调用时只需提取秘密值。如果此调用失败,那么它将有多个重试,以防身份验证令牌已过期并需要检索新的令牌值。
解决方案2:类似于上面的方法,但存储在Redis中,关于Redis的一个特点是我们可以设置值的过期时间,因此如果值过期,我们可以记录下来并检索新的值,或者添加一些更多的业务逻辑。
英文:
I got an AWS question about retrieving and storing an external auth token that expires every hour:
Problem: Our service needs to connect to an API to authenticate. This at the moment is achieved by a token which expires every hour. We want to know the best way to store this secret and retrieve it. It is currently the code in the lambda is just getting this auth token for each transaction as we are in a dev environment we do 1-2 calls a day, but will look to scale up as we prepare for prod.
Below are some solutions we thought of, be good to hear either how to improve, different solutions or what you did on your project:
Solution 1: We have a lambda on a cron job that runs every hour to refresh the token value in AWS secret manager, and the lambda just pulls the secret value when it makes the call. If this call fails then it will have a number of retries in case the auth token has expired and needs to retrieve a new token value.
Solution 2: Similar to above but stored in Redis, the thing about Redis is that we can set the expiry time on the value so if it expired then we can record that and retrieve a new value or add in some more business logic.
答案1
得分: 1
Secrets Manager解决方案可行且有效,但可能存在一个更简单的解决方案:依赖Lambda容器重用并直接在Lambda容器内部缓存令牌。
您可能知道AWS Lambda在函数调用后并不立即销毁容器,而是在一段时间内(未指定但有时长达数小时)将其冻结并重用于下一次调用。
我建议的是仅将令牌存储在Lambda内部的全局变量中,并在失败时才尝试刷新它。虽然这可能会导致略微更高的延迟,但实际上可能可以忽略不计(您应该进行测试),同时可以显著降低系统的复杂性。
英文:
While Secrets Manager solution is fine and will work, there is potentially a simpler solution: rely on Lambda container reuse and cache token directly inside lambda container.
You might be aware that AWS Lambda does not immediately destroy container after function is called. Instead it “freezes” it for some time (unspecified but sometimes for hours) and reuses for the next call.
What I would suggest is to just store the token in a global variable inside your lambda and try using it, only refreshing it when it fails. While this might result in slightly higher latency, in practice it might be negligible (you should test it) and you gain significantly lower complexity for your system.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论