I am having a Lambda function inside a VPC, but it is trying to get the API Keys from the API Gateway, it is getting timeout.
I have done the following steps:
*.execute-api
, with:AmazonAPIGatewayAdministrator
AWSLambdaBasicExecutionRole
AWSLambdaExecute
AWSLambdaRole
So with the above settings, I still unable to connect to API Gateway to get the API Keys.
I do not need internet access but just to get the API Keys from API Gateway. I am using Nodejs for Lambda function.
Please advices on how to get the API Gateway's API Keys with Lambda inside a VPC's subnet, and is it there is no way to get this information from API Gateway without NAT Gateway?
Thanks a lot in advance.
From your description, it would appear that all your code is in the AWS Lambda function and there are no other resources in the VPC.
Therefore, there is no benefit in using a VPC since Lambda functions are totally secure because there is no inbound access to a Lambda function. Connecting a Lambda function to a VPC does not improve security and it actually causes more problems because it does not have Internet access.
I don't know what your Lambda function is doing, but I presume it is using the "API Keys" to access an external service on the Internet.
Therefore, the architecture I recommend is:
Parameter Store, a capability of AWS Systems Manager, provides secure, hierarchical storage for configuration data management and secrets management. You can store data such as passwords, database strings, Amazon Machine Image (AMI) IDs, and license codes as parameter values. You can store values as plain text or encrypted data. You can reference Systems Manager parameters in your scripts, commands, SSM documents, and configuration and automation workflows by using the unique name that you specified when you created the parameter.
AWSLambdaBasicExecutionRole
, plus the permission that was granted via the Parameter Store.That's it! Basically, it's just a Lambda function and a stored secret. It is fully serverless and very secure. Access to the secret is controlled by IAM and can be monitored.