Creating a DynamoDB Table with Lambda and Secrets Manager

DynamoDB is a NoSQL document database service that is fully managed. Unlike traditional databases, NoSQL databases, are schema-less. Schema-less simply means that the database doesn’t contain a fixed (or rigid) data structure.

AWS Lambda is a serverless compute service provided by Amazon Web Services (AWS). It allows you to run code without provisioning or managing servers. With Lambda, you can upload your code and AWS takes care of everything required to run and scale your code with high availability.Lambda functions can be triggered by various AWS services, such as API Gateway, S3, DynamoDB, SNS, and many others, as well as custom events. When triggered, Lambda executes the code and automatically scales it based on the incoming request volume.Lambda supports code written in various programming languages such as Python, Node.js, Java, C#, Go, and Ruby. It is commonly used for tasks like data processing, real-time file processing, handling API requests, and running backend services.

AWS Secrets Manager is a centralized and straightforward solution for managing access to all of your secrets in the Aws cloud. This service allows you to effortlessly rotate, maintain, and recover database credentials, API keys, and other secrets during their lifecycle. You can easily retrieve secrets with the help of Secrets Manager APIs without complex coding.

Let’s start by navigating over to the IAM console first. We will be creating both a policy and a role that would allow us perform all the actions we are going to need later on in the lab.

Create a policy:

Create a policy using the JSON tab with the following (we will be editing this policy after creating the role):

{
“Version”: “2012–10–17”,
“Statement”: [
{
“Effect”: “Allow”,
“Action”: [
“lambda:CreateFunction”,
“lambda:UpdateFunctionCode”,
“lambda:UpdateFunctionConfiguration”,
“lambda:InvokeFunction”,
“dynamodb:CreateTable”,
“dynamodb:PutItem”,
“dynamodb:Scan”,
“dynamodb:DescribeTable”,
“secretsmanager:CreateSecret”,
“secretsmanager:GetSecretValue”,
“iam:PassRole”
],
“Resource”: “*”
},
{
“Effect”: “Allow”,
“Action”: “iam:PassRole”,
“Resource”: “arn:aws:iam::111111111111:role/”
}
]
}

Create a role:

Select AWS service and the service should be Lambda.

In the next screen, search for the policy that was just created then select it and click Next.

Provide a name for the role. I will be calling mine boon-role

After creating the role, click on the role name then copy the ARN. Head back into the policy and paste that ARN into the Resource section then save the changes.

Storing secrets in Secrets manager:

Navigate over to the Secrets Manager console and click on Store a new secret.

For Secret type, select Other type of secret. Click on + Add row then Type in Access key in one field and Secret Access key in the other.

For the values, you can locate them in IAM for the user you are logged in as. If you do not have these keys then you can create them in the Access keys section within the Security Credentials tab.

Leave everything else as default in Secrets Manager and click Next. Provide a name then click next until you can click on Store. After the creation, copy the Secret ARN by clicking on View details. Save the ARN somewhere as we are going to need it in a few.

Lambda Function:

The Python code for the Lamba function can be downloaded from here

Now we need to go to the Lambda console and click on Create Function.

In the next screen choose Author from scratch, provide a name for the function, and choose Python 3.8 for the Runtime.

In the Permissions section, click on the arrow to expand Change default execution role. In this section we need to select Use an existing role then choose the one we selected from the drop down and create the function.

On the function screen click on the Configuration tab then on Edit.

Scroll to the Timeout section and change it to 2 min. leave everything else as default and Save.

Now open lambda_db_code1 from the downloaded Python code with any IDE and paste in the Secret ARN between the quotes in secret_name =

Copy and paste the whole code into the Lambda function.

Next, click on Deploy then on the small down arrow next to Test. Click on Configure test event. Provide a name of the event then add the below code in Event JSON and save:

{
"key1"
:
"HASH"
}

We can go ahead and click on Test now.

If you ended up with a message similar to the screenshot below then the DynamoDB table was created successfully.

If we quickly head over to DynamoDB, we should see the table that was created.

Open lambda_dbcode1 in an IDE and paste in the Secret ARN just like we did previously, then copy and paste it into the function. It’s ok to overwrite the code that was there already. Click Deploy then Test.

If successful, the result should output the DynamoDB table contents.

In this lab we went through the process of utilizing Secrets Manager to store our AWS Access key and Secret Access Key instead of hard coding it into the code. After that, we were able to create a table in DynamoDB. Thank you for reading!!!