How should I pass secrets (RDS password) into my Lambda function created by CloudFormation/SAM?

Question

I created my RDS database and Lambda function using CloudFormation/AWS SAM. I currently passed in my DB connection info via envrionment variables but am unsure if thats the recommended way since in the AWS dashboard, I can see the password in clear text

TestApiFunction:
    Type: AWS::Serverless::Function
    DependsOn: DB
    Properties:
      Handler: src/test.handler
      FunctionName: Test
      VpcConfig:
        SecurityGroupIds:
          - !Ref DataTierSecurityGroup
        SubnetIds:
          - !Ref PrivateSubnet1
          - !Ref PrivateSubnet2
          - !Ref PrivateSubnet3
      Environment:
        Variables:
          'DB_HOST': !GetAtt DB.Endpoint.Address
          'DB_USER': !Ref DBUser
          'DB_PASSWORD': !Ref DBPassword

Answer 1

You can use IAM database authentication to use an IAM role instead of a username and password to connect to your database, if you're using MySQL or MySQL-compatible Aurora.

You would just need to turn on IAM database authentication on the RDS instance, create the role with rds-db:connect permission, and attach the role to the Lambda function. This article goes into more detailed instructions for setting this up.

Unfortunately, it doesn't look like you can enable IAM database authentication from CloudFormation, so if that is a no-go or if you're not using a compatible database engine, you can also look into AWS Secrets Manager. You would need to create an IAM role that can access your Secrets Manager secrets and attach that role to your Lambda function. One benefit of this approach is that AWS provides secrets rotation out-of-the-box for you for RDS usernames/passwords.