Vault AWS Lambda extension
AWS Lambda lets you run code without provisioning and managing servers. Lambda functions perform processing when you need it, and now can use Vault secrets through the Vault Lambda Extension.
A database within your AWS infrastructure maintains sensitive information. A periodic function audits and updates the stored data. This function must authenticate with Vault and receive database credentials.
Lambda Extensions are Lambda layers used to augment Lambda functions, and you can use them to give the Lambda function access to the Vault cluster. During execution, the Lambda layer packages the extension code with the main Lambda function code.
In this lab you will create an AWS Lambda function that uses the Vault Lambda Extension to authenticate with Vault, receive the database credentials, and perform the necessary queries.
This tutorial requires an AWS account, Terraform, go, AWS CLI, Docker, and the provided Terraform configuration to create a demonstration environment.
- Create an AWS account with AWS credentials and a EC2 key pair
- Install Terraform
- Install go
- Install AWS CLI
- Install Docker
Scenario introduction
You will learn about the Vault Lambda Extension by creating a local scenario environment. The provided Terraform configuration deploys supporting AWS-based infrastructure and Vault configuration for use with the AWS auth method.
You will then build an example Lambda function that uses the Vault Lambda Extension to read secrets from Vault, and use Terraform to deploy it.
Create environment
You can retrieve the lambda function and Terraform configuration by cloning the hashicorp-education/learn-vault-lambda-extension repository from GitHub.
$ git clone
This repository has the supporting content for Vault tutorials. The content specific to this tutorial is in a sub-directory.
Change into the learn-vault-lambda-extension
$ cd learn-vault-lambda-extension
Working directory
This tutorial assumes that you execute all following commands from within this directory.
The demonstration environment sets up a Vault server, a PostgreSQL database, and configures the database secrets engine to generate dynamic credentials. The Terraform configuration in this directory creates the required infrastructure for the tutorial.
Create an environment variable named AWS_ACCESS_KEY_ID
with your AWS access
key ID.
Create an environment variable named AWS_SECRET_ACCESS_KEY
with your AWS
secret access key.
The AWS CLI, and Terraform use these environment variables to authenticate and create resources.
The above example uses IAM user authentication. You can use any authentication method described in the AWS provider documentation.
Copy terraform.tfvars.example
and rename to terraform.tfvars
$ cp terraform.tfvars.example terraform.tfvars
Edit terraform.tfvars
to override the default settings that describe your
# AWS region and AZs in which to deploy
# default: 'us-east-1'
aws_region = "us-east-1"
# All resources will be tagged with this
# default: 'vault-lambda-extension-demo'
environment_name = "vault-lambda-extension-demo"
# URL for Vault binary
# default: Vault v1.10.0
vault_zip_file = ""
# Instance size
# default: 't2.micro'
instance_type = "t2.micro"
# DB instance size
# default: 'db.t2.micro'
db_instance_type = "db.t2.micro"
Initialize Terraform.
$ terraform init
The initialization retrieves the modules required to apply the resources defined within the configuration.
Apply Terraform to review the planned actions.
$ terraform apply
The terminal output displays the plan that it found and the resources it creates.
Enter yes
to confirm and resume.
Keep in mind that answering yes at this time will create actual resources with associated costs.
When the terraform apply
command completes, the Terraform output displays the
IP addresses of the Vault server and other services created.
PostgreSQL database address
Elastic Container Registry (ECR) repository address
Vault Server IP (public)
Vault UI URL
You can SSH into the Vault EC2 instance using private.key:
ssh -i private.key ubuntu@
The output displays the database address, the container repository address, and connection information for the Vault server. The Terraform configuration also generated a private key and enabled SSH login on the Vault server. The output shows an example SSH command to connect to the Vault server.
In a new terminal session, change into the scenario directory.
$ cd learn-vault-lambda-extension
Then SSH into the Vault Server.
$ ssh -i private.key ubuntu@
A single Vault server is running with the filesystem storage backend. The Terraform configuration automatically initialized and unsealed the server.
Verify that Vault is ready, initialized, and unsealed.
$ vault status
Key Value
--- -----
Recovery Seal Type shamir
Initialized true
Sealed false
Total Recovery Shares 5
Threshold 3
Version 1.10.0
Storage Type file
Cluster Name vault-cluster-07d67d93
Cluster ID 04353a37-6208-775d-4655-b5e3bfb53d5f
HA Enabled false
If the value of Initialized is true and the value of Sealed is false, then the Vault server is ready for use.
The Vault server configuration uses the template found in ./templates/userdata-vault-server.tpl
The database secrets engine is already enabled and configured to communicate
with the database through credentials generated for the role lambda-function
Read credentials from the lambda-function
database role.
$ vault read database/creds/lambda-function
Key Value
--- -----
lease_id database/creds/lambda-function/V2KfrawfpkJqGYr2N5cFaSH0
lease_duration 1h
lease_renewable true
password A1a-9ihozcMd4RGqmgfA
username v-root-lambda-f-ilX2242kMoLeWnY7ZqKS-1605567098
The output displays the PostgreSQL username
and password
Read the Dynamic Secrets: Database Secrets Engine tutorial to learn about configuring the database secrets engine.
Set the value of environment variables DB_USER
to another set of credentials read from the role.
$ read -d "\n" DB_USER DB_PASSWORD <<<$(vault read database/creds/lambda-function -format=json | jq -r ".data.username,.data.password")
The command returns and parses the results for the username
and password
fields. These two values are then
read into the values of variables DB_USER
The PostgreSQL client tool requires this username, password, and host address
to connect with its command-line tool. You stored the database servers address
in an environment variable named DB_HOST
Display the database address.
$ echo $DB_HOST
Connect to the PostgreSQL database via the CLI with the credentials and host.
$ PGPASSWORD=$DB_PASSWORD psql -h $DB_HOST -d postgres -U $DB_USER
This command authenticates and connects you to the PostgerSQL database server,
represented by system prompt root=#
. You are now issuing commands in the
PostgreSQL database running within the container.
List all the database users.
$ SELECT usename, valuntil FROM pg_user;
usename | valuntil
vaultadmin | infinity
rdsadmin | infinity
v-root-lambda-f-0BtQGCRTzGm2QgWHgv09-1647293547 | 2022-03-14 22:32:32+00
v-root-lambda-f-DBN5PYDVkZ7u7yYymt47-1647293577 | 2022-03-14 22:33:02+00
(4 rows)
The output displays a table of all the database credentials generated. The credentials generated appear in this list.
Disconnect from the PostgreSQL database.
$ \q
Vault issued database credentials, connected to the database and queried the users within the database.
Enable AWS authentication
The AWS Lambda function created in this step performs the same operation of requesting credentials and performing a query. The function needs its own set of Vault credentials that it requests through the AWS authentication engine.
Enable the AWS authentication engine.
$ vault auth enable aws
Configure the AWS client to use the default options.
$ vault write -force auth/aws/config/client
The lambda function needs credentials to query the database credentials at the configured path.
Create a policy named lambda-function
$ vault policy write lambda-function - <<EOF
path "database/creds/lambda-function" {
capabilities = ["read"]
The policy grants the read
capability to the database/creds/lambda-function
Vault attaches a policy to a token during the authentication through a role.
Read the Vault Policies tutorial to learn about defining Vault policies.
Create a role prefixed with the AWS environment name.
$ vault write auth/aws/role/$AWS_IAM_ROLE_LAMBDA_NAME \
auth_type=iam \
bound_iam_principal_arn="arn:aws:iam::$AWS_ACCOUNT_ID:role/$AWS_IAM_ROLE_LAMBDA_NAME" \
policies=lambda-function \
The Vault role connects the AWS IAM role, created by the Terraform configuration in ./
and the Vault policy, lambda-function
. The token returned after authentication is valid for 5 minutes.
Enable audit device log
You can observe the requests and responses associated with deploying the Lambda in a Vault audit device log. If you choose to try the caching example later in the scenario, the audit log is helpful for observing the lack of requests as well.
Enable a filesystem audit device.
$ vault audit enable file file_path=/tmp/vault_audit.log
You configured the Vault Server and it is ready for the AWS Lambda function to authenticate.
Tail the audit device log.
$ sudo tail -f /tmp/vault_audit.log
Successful output:
There is a single request and response pair present in the log.
Build and package lambda function
Return to your original terminal session for the next steps.
A AWS Lambda function executes packaged code in a specific environment. The package is an archive or a container image.
The Lambda function for this tutorial is written in Go. It reads in the location of the Vault server and credentials provided to it. It requests dynamic credentials to gain access to the PostgreSQL database and performs a query to display the current list of database users.
Clean, build, and archive the lambda function.
$ ./
The build script creates the demo function archive at the path demo-function/
Display the archived lambda function.
$ ls demo-function/
The archived function can now become an AWS lambda function.
Create the lambda function
The Lambda function is ready for the creation of an AWS Lambda
resource. Terraform provides the aws_lambda_function
that enables you to create the lambda function with an archive or container
Rename the file
$ cp
Display the contents of the
$ cat
Successful output:
resource "aws_lambda_function" "function" {
function_name = "${var.environment_name}-function"
description = "Demo Vault AWS Lambda extension"
role = aws_iam_role.lambda.arn
filename = "./demo-function/"
handler = "main"
runtime = "provided.al2"
layers = ["arn:aws:lambda:${var.aws_region}:634166935893:layer:vault-lambda-extension:13"]
environment {
variables = {
VAULT_ADDR = "http://${aws_instance.vault-server.public_ip}:8200",
VAULT_SECRET_PATH_DB = "database/creds/lambda-function",
VAULT_SECRET_FILE_DB = "/tmp/vault_secret.json",
DATABASE_URL = aws_db_instance.main.address
output "lambda" {
value = <<EOF
The lambda function is ready to run.
aws lambda invoke --function-name ${aws_lambda_function.function.function_name} /dev/null \
--log-type Tail \
--region ${var.aws_region} \
| jq -r '.LogResult' \
| base64 --decode
This file has two resources. The resource to create the Lambda function and the output that displays how to execute the Lambda function using the AWS CLI.
The aws_lambda_function
loads the packaged function found at the path defined at
`filename. The Lambda function uses several environment variables to connect
and authenticate with Vault:
is the address of the Vault server. An AWS instance resource named `aws_instance.vault-server responds to that address.VAULT_AUTH_ROLE
is the IAM role used to perform the function.VAULT_AUTH_PROVIDER
is the authentication method to use.VAULT_SECRET_PATH_DB
is the Vault path to read the database credentialsVAULT_SECRET_FILE_DB
is the path to the credentials. The custom function defines the path/tmp/vault_secret.json
is an environment variable defined in the custom function.
Run terraform apply
and review the planned actions. Your terminal output
indicates the plan that it found and what resources Terraform will create.
$ terraform apply
Enter yes
to confirm and resume.
The terraform apply
command creates the lambda function and
the output displays how to invoke it.
lambda =
The lambda function is ready to run.
aws lambda invoke --function-name vault-lambda-extension-demo-function /dev/null \
--log-type Tail \
--region us-east-1 \
| jq -r '.LogResult' \
| base64 --decode
Invoke the lambda function.
$ aws lambda invoke --function-name vault-lambda-extension-demo-function /dev/null \
--log-type Tail \
--region us-east-1 \
| jq -r '.LogResult' \
| base64 --decode
The output displays the logging and the current accounts found within the database.
START RequestId: 0999f92b-1a57-4e77-a47a-2e17682038a2 Version: $LATEST
c487ab6c-e834-4d1f-a333-8fcae8e1c0e1[vault-lambda-extension] 2022/03/14 21:50:55 Initialising
[vault-lambda-extension] 2022/03/14 21:50:55 attemping Vault login...
[runtime] handler in bootstrap: main
[runtime] Initializing...
[runtime] Waiting for invocation...
[vault-lambda-extension] 2022/03/14 21:50:55 Initialised
[vault-lambda-extension] 2022/03/14 21:50:55 Waiting for event...
EXTENSION Name: vault-lambda-extension State: Ready Events: [INVOKE,SHUTDOWN]
[vault-lambda-extension] 2022/03/14 21:50:55 Received event
[vault-lambda-extension] 2022/03/14 21:50:55 Waiting for event...
[runtime] Received invocation: {}
[runtime] Executing function: main
[demo-function] Received:
[demo-function] Reading file /tmp/vault_secret.json
[demo-function] users:
[demo-function] vaultadmin
[demo-function] rdsadmin
[demo-function] v-root-lambda-f-0BtQGCRTzGm2QgWHgv09-1647293547
[demo-function] v-root-lambda-f-DBN5PYDVkZ7u7yYymt47-1647293577
[demo-function] v-aws-vaul-lambda-f-P0akiqTACqHLWDCssTyj-1647294655
END RequestId: 0999f92b-1a57-4e77-a47a-2e17682038a2
REPORT RequestId: 0999f92b-1a57-4e77-a47a-2e17682038a2 Duration: 1076.90 ms Billed Duration: 1185 ms Memory Size: 128 MBMax Memory Used: 46 MB Init Duration: 107.88 ms
The Lambda function executed.
Check the other terminal session, and you will observe a pair of new requests and responses corresponding to the Lambda execution.
Example output:
If your use case can benefit from it, you can configure caching for the Vault Lambda Extension. The local proxy server handles requests so that it does not forward every request to the Vault server.
You can enable this caching by setting a VAULT_DEFAULT_CACHE_TTL
variable in
configuration with a value used as a Go time duration.
For example, to specify a 5 minute TTL you can add VAULT_DEFAULT_CACHE_TTL =
to your variables. Now when the extension runs and clients make GET
requests using the header X-Vault-Cache-Control: cache
, the proxy handles
requests directly from the cache if there's a cache hit. On a cache miss the
proxy forwards requests to Vault and the response returned and cached.
to true
, as in this example, caches all
requests. If you do not set VAULT_DEFAULT_CACHE_ENABLED
you must set the HTTP header
X-Vault-Cache-Control: cache
on requests that you want to cache. Consult
the Vault Lambda
documentation for more detail.
To try caching with this tutorial, you can rename the file
$ cp
Display the contents of the
$ cat
Successful output:
resource "aws_lambda_function" "function" {
function_name = "${var.environment_name}-function"
description = "Demo Vault AWS Lambda extension"
role = aws_iam_role.lambda.arn
filename = "./demo-function/"
handler = "main"
runtime = "provided.al2"
layers = ["arn:aws:lambda:${var.aws_region}:634166935893:layer:vault-lambda-extension:13"]
environment {
variables = {
VAULT_ADDR = "http://${aws_instance.vault-server.public_ip}:8200",
VAULT_SECRET_PATH_DB = "database/creds/lambda-function",
VAULT_SECRET_FILE_DB = "/tmp/vault_secret.json",
DATABASE_URL = aws_db_instance.main.address
output "lambda" {
value = <<EOF
The lambda function is ready to run.
aws lambda invoke --function-name ${aws_lambda_function.function.function_name} /dev/null \
--log-type Tail \
--region ${var.aws_region} \
| jq -r '.LogResult' \
| base64 --decode
Notice the caching specific entries in this configuration, which set the variables on lines 17 and 18.
Run terraform apply
and review the planned actions. Your terminal output
indicates the resources Terraform will create.
$ terraform apply
Enter yes
to confirm and resume.
The terraform apply
command modifies the lambda function and the output displays how to invoke it.
lambda =
The lambda function is ready to run.
aws lambda invoke --function-name vault-lambda-extension-demo-function /dev/null \
--log-type Tail \
--region us-east-1 \
| jq -r '.LogResult' \
| base64 --decode
Invoke the lambda function.
$ aws lambda invoke --function-name vault-lambda-extension-demo-function /dev/null \
--log-type Tail \
--region us-east-1 \
| jq -r '.LogResult' \
| base64 --decode
Now check the other terminal with audit device log for entries. You will note that there is another pair of request and responses logged.
Invoke the lambda function once again.
$ aws lambda invoke --function-name vault-lambda-extension-demo-function /dev/null \
--log-type Tail \
--region us-east-1 \
| jq -r '.LogResult' \
| base64 --decode
Invoke the lambda function a final time.
$ aws lambda invoke --function-name vault-lambda-extension-demo-function /dev/null \
--log-type Tail \
--region us-east-1 \
| jq -r '.LogResult' \
| base64 --decode
If you check the other terminal with audit device log now, you'll note that there were no entries for the last two invocations of the Lambda.
This is because they used the cache, and did not need to authenticate with Vault.
You can learn more about the caching functionality in the Vault Lambda Extension documentation.
Clean up
In the second terminal displaying the audit log, press CTRL+C
to stop tailing the log and exit from the ssh session.
$ exit
Return to the first terminal where you created the cluster and use Terraform to destroy the cluster.
Destroy the AWS resources provisioned by Terraform.
$ terraform destroy -auto-approve
Delete the state file.
$ rm *tfstate*
Next steps
You built, packaged, and deployed a Lambda function written in Go that uses the Vault Lambda Extension, and deployed it with Terraform.
Learn more by reading the blog post Use AWS Lambda Extensions to Securely Retrieve Secrets From HashiCorp Vault or by reviewing the Vault Lambda Extension code repository.
You deployed a Vault server and database with the provided Terraform configuration. Learn more about deploying infrastructure with Terraform Getting Started - AWS.
You used the AWS lambda to authenticate with Vault, request credentials for the PostgreSQL database, and perform a Query. Learn more about Dynamic Secrets: Database Secrets Engine.
You also learned about the caching functionality available in the Vault Lambda Extension, and demonstrated it in action in the audit device logs.