This lab walks you through the steps to create an Aurora DB Cluster, store DB credentials in Secret Manager, working with Query Editor and execute code from Lambda and get the database details.
Each of the AWS Services used in the lab plays an important role for you to proceed with the lab.
Duration : 1 hour
AWS Region : US East (N. Virginia) us-east-1
AWS Secrets Manager is a secrets management service that helps you protect access to your applications, services, and IT resources.
This service enables you to easily rotate, manage, and retrieve database credentials, API keys, and other secrets throughout their lifecycle.
Using this service, you can secure and manage secrets used to access resources in the AWS Cloud, on third-party services, and on-premises.
This service is for IT administrators looking for a secure and scalable method to store and manage secrets. Administrators responsible for meeting regulatory and compliance requirements can use Secrets Manager to monitor secrets and rotate secrets without a risk of impacting applications.
Developers who want to replace hard coded secrets in their applications can retrieve secrets programmatically from Secrets Manager.
You use IAM policies to control which user and applications can access the secrets.
Secrets Manager integrates with AWS CloudTrail, Amazon CloudWatch, and Amazon Simple Notification Service (Amazon SNS).
Using the service you can manage secrets such as database credentials, on-premise resource credentials, SaaS application credentials, third-party API keys, and SSH keys.
AWS Secrets Manager encrypts at rest using encryption keys that you own and store in AWS Key Management Service (KMS).
When a secret is retrieved, Secrets Manager decrypts the secret and transmits it securely over TLS to your local environment.
By default, Secret Manager does not write or cache the secret to persistent storage.
Billing for this service is - you pay only for what you use, there is no minimum fee. You are charged for the number of secrets you store and for API requests made to the service each month.
This service is available for a 30-day free trial. This trial starts when you store your first secret.
Aurora DB Cluster consists of one or more DB instances and a cluster volume that manages the data for those DB instances.
It is a virtual database storage volume that spans multiple AZs, with each AZ having a copy of the DB cluster data.
We have 2 types of Clusters.
Primary DB instance
Supports read and write operations, and performs all of the data modification to the cluster volume.
Each Aurora DB cluster has one primary DB instance.
Connects to the same storage volume as the primary DB instance and supports only read operations.
Each Aurora DB cluster can have up to 15 Aurora Replicas in addition to the primary DB instance.
Aurora automatically fails over to an Aurora Replica in case the primary DB instance becomes unavailable.
You can specify the failover priority for Aurora Replicas.
Aurora Replicas can also offload read workloads from the primary DB instance.
Connects to the current primary DB instance for a DB cluster.
This endpoint is the only one that can perform write operations.
Each Aurora DB cluster has one cluster endpoint and one primary DB instance.
Connects to one of the available Aurora Replicas for that DB cluster.
Each Aurora DB cluster has one reader endpoint.
The reader endpoint provides load-balancing support for read-only connections to the DB cluster.
Use the reader endpoint for read operations, such as queries.
You can't use the reader endpoint for write operations.
Represents a set of DB instances that you choose.
When you connect to the endpoint, Aurora performs load balancing and chooses one of the instances in the group to handle the connection.
You define which instances this endpoint refers to, and you decide what purpose the endpoint serves.
Connects to a specific DB instance within an Aurora cluster.
The instance endpoint provides direct control over connections to the DB cluster.
The main way that you use instance endpoints is to diagnose capacity or performance issues that affect one specific instance in an Aurora cluster.
When you connect to an Aurora cluster, the host name and port that you specify point to an intermediate handler called an endpoint.
An IAM role is an AWS IAM identity (that we can create in our AWS account) that has specific permissions.
It is similar to an IAM user, which determines what the identity can and cannot do in AWS.
Instead of attaching a role to a particular user or group, it can be attached to anyone who needs it.
The advantage of having a role is that we do not have standard long-term credentials such as a password or access keys associated with it.
When resources assume a particular role, it provides us with temporary security credentials for our role session.
We can use roles to access users, applications, or services that don't have access to our AWS resources.
We can attach one or more policies with roles, depending on our requirements.
For example, we can create a role with S3 full access and attach it to an EC2 instance to access S3 buckets.
AWS Lambda is a Serverless Compute Service.
It works without any servers and allows us to execute code for any type of application.
The developer doesn't have to worry about the AWS resources to launch or the steps needed to manage the resources.
The configuration of the tasks are done as code . They are implemented in Lambda and performed on execution.
Provisioning and Managing are both taken care of by the Lambda function.
The languages AWS Lambda supports are Node.js, Python, C#, Java and Go.
It allows us to run code in response to events from other AWS services.
Log into AWS Management Console.
Create a security group.
Create a Aurora Serverless DB Cluster.
Create table(s) in the database.
Working with AWS Secrets Manager.
Create an IAM Role for executing Lambda.
Create a Lambda function.
Connect to the database using RDS Data API and test the function.
Validation of the lab.
In this lab, you will be creating an Aurora Cluster, database, two tables.
Store the RDS credentials in AWS Secrets Manager.
Create an IAM Role which takes input of RDS and Secrets Manager and associates it with AWS Lambda.
Create a Lambda function, provide Node.js code which accepts ARN of RDS and Secrets Manager, connects to RDS using an API and displays the list of tables in the above created database.