I'm having trouble with loading secrets in AWS Lambda using the Parameter Store and Secrets Manager extension. My Lambda function logs 'ready to serve traffic' only after the bootstrap completes, which confuses me. Here's my custom Dockerfile for the Lambda function, where I integrate the AWS Parameters and Secrets Lambda Extension. The problem occurs when I fetch secrets at bootstrap, making the extension unavailable to handle traffic. I attempted to implement exponential backoff with retries, but it didn't solve the issue. I've ended up lazy loading my secret settings, but I'm wondering if there's a more efficient approach to handle this. I could use some help from anyone who has experience with similar setups!
3 Answers
From what I see, if you're facing issues with environment variables at build time, you should set them when you initiate your Docker build in a CI/CD environment, for instance, using GitHub Actions. This way, the build has the necessary access to retrieve SSM parameters correctly.
You might want to look into reducing the number of RUN commands in your Dockerfile. Too many RUNs can create unnecessary layers and increase the image size, which isn’t great for performance.
Have you checked if your Lambda has the right permissions to access SSM? You need to ensure it can read from it, either by assigning it a role that has those permissions or adding a direct policy.
I have given the necessary permissions, but it seems the extension is still not ready during bootstrap!
I’m more worried about the hardcoded values being exposed that are typically handled through environment variables during runtime.