Using Parameter Store parameters in AWS Lambda functions
Parameter Store, a capability of AWS Systems Manager, provides secure, hierarchical storage for configuration data management and secrets management. You can store data such as passwords, database strings, Amazon Machine Image (AMI) IDs, and license codes as parameter values.
To use parameters from Parameter Store in AWS Lambda functions without using an SDK, you can use the AWS Parameters and Secrets Lambda Extension. This extension retrieves parameter values and caches them for future use. Using the Lambda extension can reduce your costs by reducing the number of API calls to Parameter Store. Using the extension can also improve latency because retrieving a cached parameter is faster than retrieving it from Parameter Store.
A Lambda extension is a companion process that augments the capabilities of a Lambda function. An extension is like a client that runs in parallel to a Lambda invocation. This parallel client can interface with your function at any point during its lifecycle. For more information about Lambda extensions, see Lambda Extensions API in the AWS Lambda Developer Guide.
The AWS Parameters and Secrets Lambda Extension works for both Parameter Store and AWS Secrets Manager. To learn how to use the Lambda extension with secrets from Secrets Manager, see Use AWS Secrets Manager secrets in AWS Lambda functions in the AWS Secrets Manager User Guide.
Related info
Using the AWS Parameter and Secrets Lambda extension to cache parameters and
secrets
How the extension works
To use parameters in a Lambda function without the Lambda
extension, you must configure your Lambda function to receive configuration
updates by integrating with the GetParameter API action for
Parameter Store.
When you use the AWS Parameters and Secrets Lambda Extension, the extension
retrieves the parameter value from Parameter Store and stores it in the local cache.
Then, the cached value is used for further invocations until it expires. Cached
values expire after they pass their time-to-live (TTL). You can configure the
TTL value using the SSM_PARAMETER_STORE_TTL
environment
variable, as explained later in this topic.
If the configured cache TTL has not expired, the cached parameter value is used. If the time has expired, the cached value is invalidated and the parameter value is retrieved from Parameter Store.
Also, the system detects parameter values that are used frequently and maintains them in the cache while clearing those that are expired or unused.
Implementation details
Use the following details to help you configure the AWS Parameters and Secrets Lambda Extension.
- Authentication
-
To authorize and authenticate Parameter Store requests, the extension uses the same credentials as those used to run the Lambda function itself. Therefore, the AWS Identity and Access Management (IAM) role used to run the function must have the following permissions to interact with Parameter Store:
-
ssm:GetParameter– Required to retrieve parameters from Parameter Store -
kms:Decrypt– Required if you are retrievingSecureStringparameters from Parameter Store
For more information, see AWS Lambda execution role in the AWS Lambda Developer Guide.
-
- Instantiation
-
Lambda instantiates separate instances corresponding to the concurrency level that your function requires. Each instance is isolated and maintains its own local cache of your configuration data. For more information about Lambda instances and concurrency, see Configuring reserved concurrency in the AWS Lambda Developer Guide.
- No SDK dependence
-
The AWS Parameters and Secrets Lambda Extension works independently of any AWS SDK language library. An AWS SDK is not required to make GET requests to Parameter Store.
- Localhost port
-
Use
localhostin your GET requests. The extension makes requests to localhost port 2773. You do not need to specify an external or internal endpoint to use the extension. You can configure the port by setting the environment variablePARAMETERS_SECRETS_EXTENSION_HTTP_PORT.For example, in Python, your GET URL might look something like the following example.
parameter_url = ('http://localhost:' + port + '/systemsmanager/parameters/get/?name=' + ssm_parameter_path) - Changes to a parameter value before TTL expires
-
The extension doesn't detect changes to the parameter value and doesn't perform an auto-refresh before the TTL expires. If you change a parameter value, operations that use the cached parameter value might fail until the cache is next refreshed. If you expect frequent changes to a parameter value, we recommend setting a shorter TTL value.
- Header requirement
-
To retrieve parameters from the extension cache, the header of your GET request must include an
X-Aws-Parameters-Secrets-Tokenreference. Set the token toAWS_SESSION_TOKEN, which is provided by Lambda for all running functions. Using this header indicates that the caller is within the Lambda environment. - Example
-
The following example in Python demonstrates a basic request to retrieve the value of a cached parameter.
import urllib.request import os import json aws_session_token = os.environ.get('AWS_SESSION_TOKEN') def lambda_handler(event, context): # Retrieve /my/parameter from Parameter Store using extension cache req = urllib.request.Request('http://localhost:2773/systemsmanager/parameters/get?name=%2Fmy%2Fparameter') req.add_header('X-Aws-Parameters-Secrets-Token', aws_session_token) config = urllib.request.urlopen(req).read() return json.loads(config) - ARM support
-
The extension doesn't support the ARM architecture in all the same AWS Regions where the x86_64 and x86 architectures are supported.
For complete lists of extension ARNs, see AWS Parameters and Secrets Lambda Extension ARNs.
- Logging
-
Lambda logs execution information about the extension along with the function by using Amazon CloudWatch Logs. By default, the extension logs a minimal amount of information to CloudWatch. To log more details, set the environment variable
PARAMETERS_SECRETS_EXTENSION_LOG_LEVELtoDEBUG.
Adding the extension to a Lambda function
To use the AWS Parameters and Secrets Lambda Extension, you add the extension to your Lambda function as a layer.
Use one of the following methods to add the extension to your function.
- AWS Management Console (Add layer option)
-
Open the AWS Lambda console at https://console.aws.amazon.com/lambda/
. -
Choose your function. In the Layers area, choose Add a layer.
-
In the Choose a layer area, choose the AWS layers option.
-
For AWS layers, choose AWS-Parameters-and-Secrets-Lambda-Extension, choose a version, and then choose Add.
- AWS Management Console (Specify ARN option)
-
Open the AWS Lambda console at https://console.aws.amazon.com/lambda/
. -
Choose your function. In the Layers area, choose Add a layer.
-
In the Choose a layer area, choose the Specify an ARN option.
-
For Specify an ARN, enter the extension ARN for your AWS Region and architecture, and then choose Add.
- AWS Command Line Interface
-
Run the following command in the AWS CLI. Replace each
example resource placeholderwith your own information.aws lambda update-function-configuration \ --function-namefunction-name\ --layerslayer-ARN
Related information
Using layers with your Lambda function
Configuring extensions (.zip file archive)
AWS Parameters and Secrets Lambda Extension environment variables
You can configure the extension by changing the following environment
variables. To see the current settings, set
PARAMETERS_SECRETS_EXTENSION_LOG_LEVEL to DEBUG.
For more information, see Using AWS Lambda environment variables in the
AWS Lambda Developer Guide.
Note
AWS Lambda records operation details about the Lambda extension and Lambda function in Amazon CloudWatch Logs.
| Environment variable | Details | Required | Valid values | Default value |
|---|---|---|---|---|
|
|
Timeout, in milliseconds, for requests to Parameter Store.
A value of 0 (zero) indicates no timeout. |
No | All whole numbers | 0 (zero) |
|
|
Timeout, in milliseconds, for requests to Secrets Manager.
A value of 0 (zero) indicates no timeout. |
No | All whole numbers |
0 (zero) |
|
|
Maximum valid lifetime, in seconds, of a parameter in the
cache before it is invalidated. A value of 0 (zero)
indicates that the cache should be bypassed. This variable
is ignored if the value for
|
No | 0 (zero) to 300 s (Five minutes) | 300 s (Five minutes) |
|
|
Maximum valid lifetime, in seconds, of a secret in the
cache before it is invalidated. A value of 0 (zero)
indicates that the cache is bypassed. This variable is
ignored if the value for
|
No | 0 (zero) to 300 s (Five minutes) | 300 s (5 minutes) |
PARAMETERS_SECRETS_EXTENSION_CACHE_ENABLED |
Determines whether the cache for the extension is enabled.
Value values: |
No | TRUE | FALSE | TRUE |
PARAMETERS_SECRETS_EXTENSION_CACHE_SIZE |
The maximum size of the cache in terms of number of items. A value of 0 (zero) indicates that the cache is bypassed. This variable is ignored if both cache TTL values are 0 (zero). |
No | 0 (zero) to 1000 |
1000 |
PARAMETERS_SECRETS_EXTENSION_HTTP_PORT |
The port for the local HTTP server. | No | 1 - 65535 |
2773 |
PARAMETERS_SECRETS_EXTENSION_MAX_CONNECTIONS |
Maximum number of connections for the HTTP clients that the extension uses to make requests to Parameter Store or Secrets Manager. This is a per-client configuration for the number of connections that both the Secrets Manager client and Parameter Store client make to the backend services. |
No | Minimum of 1; No maximum limit. |
3 |
PARAMETERS_SECRETS_EXTENSION_LOG_LEVEL |
The level of detail reported in logs for the extension. We recommend using Logs for Lambda operations are automatically pushed to an associated CloudWatch Logs log group. |
No |
|
INFO |
Sample commands for using the AWS Systems Manager Parameter Store and AWS Secrets Manager Extension
The examples in this section demonstrate API actions for use with the AWS Systems Manager Parameter Store and AWS Secrets Manager extension.
Sample commands for Parameter Store
The Lambda extension uses read-only access to the GetParameter API action.
To call this action, make an HTTP GET call similar to the following.
GET http://localhost:port/systemsmanager/parameters/get?name=parameter-path&version=version&label=label&withDecryption={true|false}
In this example, parameter-path represents the
full parameter name. version and
label are the selectors available for use
with the GetParameter action. This command format provides
access to parameters in the standard parameter tier.
Note
When using GET calls, parameter values must be encoded for HTTP to
preserve special characters. For example, instead of formatting a
hierarchical path like /a/b/c, encode characters that could
be interpreted as part of the URL, such as
%2Fa%2Fb%2Fc.
GET http://localhost:port/systemsmanager/parameters/get/?name=MyParameter&version=5
To call a parameter in a hierarchy, make an HTTP GET call similar to the following.
GET http://localhost:port/systemsmanager/parameters/get?name=%2Fa%2Fb%2F&label=release
To call a public (global) parameter, make an HTTP GET call similar to the following.
GET http://localhost:port/systemsmanager/parameters/get/?name=%2Faws%2Fservice%20list%2F…
To make an HTTP GET call to a Secrets Manager secret by using Parameter Store references, make an HTTP GET call similar to the following.
GET http://localhost:port/systemsmanager/parameters/get?name=%2Faws%2Freference%2Fsecretsmanager%2F…
To make a call using the Amazon Resource Name (ARN) for a parameter, make an HTTP GET call similar to the following.
GET http://localhost:port/systemsmanager/parameters/get?name=arn:aws:ssm:us-east-1:123456789012:parameter/MyParameter
To make a call that accesses a SecureString parameter with
decryption, make an HTTP GET call similar to the following.
GET http://localhost:port/systemsmanager/parameters/get?name=MyParameter&withDecryption=true
You can specify that parameters aren't decrypted by omitting
withDecryption or explicitly setting it to
false. You can also specify either a version or a label,
but not both. If you do, only the first of these that is placed after
question mark (?) in the URL is used.
AWS Parameters and Secrets Lambda Extension ARNs
The following tables provide extension ARNs for supported architectures and Regions.
Topics
Extension ARNs for the x86_64 and x86 architectures
| Region | ARN |
|---|---|
|
US East (Ohio) |
|
|
US East (N. Virginia) |
|
|
US West (N. California) |
|
|
US West (Oregon) |
|
|
Africa (Cape Town) |
|
|
Asia Pacific (Hong Kong) |
|
| Asia Pacific (Hyderabad) Region |
|
|
Asia Pacific (Jakarta) |
|
|
Asia Pacific (Melbourne) |
|
|
Asia Pacific (Mumbai) |
|
| Asia Pacific (Osaka) |
|
|
Asia Pacific (Seoul) |
|
|
Asia Pacific (Singapore) |
|
|
Asia Pacific (Sydney) |
|
|
Asia Pacific (Tokyo) |
|
|
Canada (Central) |
|
| Canada West (Calgary) | arn:aws:lambda:ca-west-1:243964427225:layer:AWS-Parameters-and-Secrets-Lambda-Extension:1 |
| China (Beijing) |
|
| China (Ningxia) |
|
|
Europe (Frankfurt) |
|
|
Europe (Ireland) |
|
|
Europe (London) |
|
|
Europe (Milan) |
|
|
Europe (Paris) |
|
| Europe (Spain) Region |
|
|
Europe (Stockholm) |
|
| Israel (Tel Aviv) |
|
| Europe (Zurich) Region |
|
|
Middle East (Bahrain) |
|
| Middle East (UAE) | arn:aws:lambda:me-central-1:858974508948:layer:AWS-Parameters-and-Secrets-Lambda-Extension:11 |
|
South America (São Paulo) |
|
| AWS GovCloud (US-East) |
|
| AWS GovCloud (US-West) |
|
Extension ARNs for ARM64 and Mac with Apple silicon architectures
| Region | ARN |
|---|---|
|
US East (Ohio) |
|
|
US East (N. Virginia) |
|
|
US West (N. California) Region |
|
|
US West (Oregon) |
|
|
Africa (Cape Town) Region |
|
|
Asia Pacific (Hong Kong) Region |
|
|
Asia Pacific (Jakarta) Region |
|
|
Asia Pacific (Mumbai) |
|
| Asia Pacific (Osaka) |
|
|
Asia Pacific (Seoul) Region |
|
|
Asia Pacific (Singapore) |
|
|
Asia Pacific (Sydney) |
|
|
Asia Pacific (Tokyo) |
|
|
Canada (Central) Region |
|
|
Europe (Frankfurt) |
|
|
Europe (Ireland) |
|
|
Europe (London) |
|
|
Europe (Milan) Region |
|
|
Europe (Paris) Region |
|
|
Europe (Stockholm) Region |
|
|
Middle East (Bahrain) Region |
|
|
South America (São Paulo) Region |
|
