Retrieving passwords from Secrets Manager in Runtime

[alexfpoole]

Hi folks

I'd like to put RDS passwords in Secrets Manager rather than in the Lamda env vars (which are visible in plaintext in the AWS Lambda console :/ )

It would make sense to only retrieve these at cold boot time, in the runtime, rather than for every invocation.

Has anyone done this? it seems like I'd just need to hack a hook into runtime.php..?

Cheers
Alex

[mnapoli]

Hi! Yes, hacking into the boot is a possibility.

But usually I prefer writing code that isn't 100% dependent on how Lambda works (if that's easy and possible). How about the "traditional" pattern of caching the value?

• if the value is not in cache, fetch it
• then return the value

The "cache" could be a file in /tmp, a value in apcu, etc. Or if you keep the PHP process alive explicitly it could be a variable.

That way your mechanism is quite generic.

[alexfpoole]

of course, dump in /tmp if not already there & job done. Thanks maestro :)