I'm developing a Lambda function that needs to connect to an RDS database, and I'm torn between using IAM authentication and Secrets Manager for managing the database credentials. On one hand, IAM authentication allows me to use roles to access RDS without the need for storing sensitive information, which seems safer. However, I've heard that IAM connections are limited to 200 per second, and I'm already using IAM for other services like ECS Fargate, where I handle this throttling by caching tokens in memory. On the other hand, Secrets Manager lets me store database credentials securely and retrieve them at runtime. What do you all think? Which method is better for my use case?
5 Answers
If you’re using Aurora, have you thought about the Aurora Data API instead? It allows you to interact without having to manage database connections directly. But if you're not on Aurora, definitely lean towards IAM.
I’d definitely go for IAM roles. Just ensure that only your Lambda function has access and not anything else. It really simplifies managing credentials since you won’t have to worry about secrets being compromised.
Using IAM with RDS Proxy is a solid choice! It enhances performance and reduces throttling risks, and you won't have to deal with static credentials from Secrets Manager. If you skip RDS Proxy, at least ensure your connection is made a global variable for reuse.
How do you figure these two options can’t coexist? You could theoretically use both for added flexibility!
IAM Authentication is often preferred because it is more secure and cost-effective. You simply need to handle it correctly. The token generation doesn’t incur throttling since it doesn’t require a network call, but the actual database login does, so caching won’t help there. Overall, if you hit throttling issues, consider optimizing how many database sessions you have open or look into RDS Proxy!
Related Questions
Set Wordpress Featured Image Using Javascript
How To Fix PHP Random Being The Same
Why no WebP Support with Wordpress
Replace Wordpress Cron With Linux Cron
Customize Yoast Canonical URL Programmatically
[Centos] Delete All Files And Folders That Contain a String