This is a simple Python Lambda function that pulls secrets from the EC2 SSM Param Store and connects to a MySQL RDS. The source is used in conjuction with the following blog article, EC2 SSM Param Store: The AWS Vault for storing secrets.
To get started locally, create a Python virtual environment and install the requirements:
$ virtualenv -p python3 ssm
$ source ssm/bin/activate
$ pip install -r requirements.txtUpload the CloudFormation template included in this project in AWS Web Console or use the AWS CLI:
$ aws cloudformation deploy --template-file /cloudformation/mysql.rds.yaml \
--stack-name my-mysql-rds --parameter-overrides DBUsername=Value1 DBPassword=Value2Upon creation, take note of the RDS endpoint and update the db_host value in the rds_config.py file.
This project uses the serverless framework and the plug-in, serverless-python-requirements for deploying to AWS. You'll need to install them using npm:
# installs serverless framework and python-requirements plugin
$ npm iPrequisite: Node.js and npm must be installed on your computer.
Deploy Project:
# deploy with serverless to dev (or other environment)
$ sls deploy --stage devAmazon EC2 Systems Manager Parameter Store can centrally and securely manage secrets. And with IAM roles, you can restrict AWS resources to only access the secrets it needs for any particular environment.
The AWS Lambda function needs to fetch the MySQL Username and Redshift Password from AWS Parameter Store. There is a helper script in the project to create (and/or update) the values stored in the Parameter Store.
# example using dev environment
$ ./scripts/deploy_secrets.sh -e dev -u myuser -p mypasswordThis will deploy secrets under the path /env/dev. NOTE: -e is for environment, -u is for user, and -p is for password.
Please create a new GitHub issue for any feature requests, bugs, or documentation improvements.
Where possible, please also submit a pull request for the change.