AWS lambda refreshing external token and storing it

I got an AWS question about retrieving and storing an external auth token that expires every hour:

Problem: Our service needs to connect to an API to authenticate. This at the moment is achieved by a token which expires every hour. We want to know the best way to store this secret and retrieve it. It is currently the code in the lambda is just getting this auth token for each transaction as we are in a dev environment we do 1-2 calls a day, but will look to scale up as we prepare for prod.

Below are some solutions we thought of, be good to hear either how to improve, different solutions or what you did on your project:

Solution 1: We have a lambda on a cron job that runs every hour to refresh the token value in AWS secret manager, and the lambda just pulls the secret value when it makes the call. If this call fails then it will have a number of retries in case the auth token has expired and needs to retrieve a new token value.

Solution 2: Similar to above but stored in Redis, the thing about Redis is that we can set the expiry time on the value so if it expired then we can record that and retrieve a new value or add in some more business logic.

While Secrets Manager solution is fine and will work, there is potentially a simpler solution: rely on Lambda container reuse and cache token directly inside lambda container.

You might be aware that AWS Lambda does not immediately destroy container after function is called. Instead it “freezes” it for some time (unspecified but sometimes for hours) and reuses for the next call.

What I would suggest is to just store the token in a global variable inside your lambda and try using it, only refreshing it when it fails. While this might result in slightly higher latency, in practice it might be negligible (you should test it) and you gain significantly lower complexity for your system.