Got it, let's break this down step by step to address all your questions: converting your callback-based Lambda to async/await, integrating Secrets Manager with Node.js Lambda, and creating secrets via Node.js.

AWS SDK v2 supports promisifying its methods, so we can ditch nested callbacks for cleaner, linear async/await code. Here's the refactored version of your Lambda handler:

const AWS = require("aws-sdk");
// Initialize Secrets Manager client with your region
const secretsManager = new AWS.SecretsManager({ region: 'ap-southeast-1' });

exports.handler = async (event, context) => {
  try {
    // Fetch the secret using async/await
    const secretData = await secretsManager.getSecretValue({ 
      SecretId: 'MyFirstSecret' 
    }).promise();

    // Handle both string and binary secret types
    let secret;
    if ('SecretString' in secretData) {
      secret = secretData.SecretString;
    } else {
      // Decode binary secret from base64
      const binaryBuffer = Buffer.from(secretData.SecretBinary, 'base64');
      secret = binaryBuffer.toString('ascii');
    }

    // Use your secret here (e.g., connect to a database, API, etc.)
    console.log('Successfully retrieved secret:', secret);
    return secret; // Adjust return value based on your Lambda's needs

  } catch (err) {
    // Handle specific Secrets Manager error codes
    switch (err.code) {
      case 'DecryptionFailureException':
        console.error("Failed to decrypt secret with KMS key:", err);
        throw err;
      case 'InternalServiceErrorException':
        console.error("Secrets Manager server-side error:", err);
        throw err;
      case 'InvalidParameterException':
        console.error("Invalid parameter provided to Secrets Manager:", err);
        throw err;
      case 'InvalidRequestException':
        console.error("Invalid request format for Secrets Manager:", err);
        throw err;
      case 'ResourceNotFoundException':
        console.error("Target secret not found in Secrets Manager:", err);
        throw err;
      default:
        console.error("Unexpected error fetching secret:", err);
        throw err;
    }
  }
};

To make this work reliably, follow these key steps:

• Assign IAM Permissions to Your Lambda Role
  Your Lambda execution role needs permission to fetch secrets. Add a policy like this (restrict the resource ARN to your specific secret for better security):

  {
    "Version": "2012-10-17",
    "Statement": [
      {
        "Effect": "Allow",
        "Action": "secretsmanager:GetSecretValue",
        "Resource": "arn:aws:secretsmanager:ap-southeast-1:YOUR_ACCOUNT_ID:secret:MyFirstSecret-*"
      }
    ]
  }
  

• Initialize the Secrets Manager Client
  As shown in the code above, create a client instance with your target AWS region. No extra configuration is needed if your Lambda runs in the same region as the secret.

• Optimize Lambda Performance
  If you want to reuse the Secrets Manager client across Lambda invocations (to save connection time), you can declare the client outside the handler function (like in the example) – Lambda retains the client in the execution environment for subsequent invocations.

You can create secrets directly using the AWS SDK's createSecret method. Here are examples for both string and binary secrets:

Example 1: Create a String Secret (e.g., JSON credentials) #

const AWS = require("aws-sdk");
const secretsManager = new AWS.SecretsManager({ region: 'ap-southeast-1' });

async function createStringSecret() {
  try {
    const secretParams = {
      Name: 'MyDatabaseCredentials',
      SecretString: JSON.stringify({ 
        username: 'db-admin', 
        password: 'SuperSecurePass123!' 
      }),
      Description: 'Database credentials for production DB'
    };

    const response = await secretsManager.createSecret(secretParams).promise();
    console.log("Secret created successfully! ARN:", response.ARN);
  } catch (err) {
    console.error("Error creating secret:", err);
  }
}

// Run the function
createStringSecret();

Example 2: Create a Binary Secret (e.g., private keys, certificates) #

async function createBinarySecret() {
  try {
    // Encode your binary data to base64 (required by Secrets Manager)
    const binaryContent = Buffer.from('-----BEGIN PRIVATE KEY-----\n...your key here...\n-----END PRIVATE KEY-----', 'utf8');
    const base64Secret = binaryContent.toString('base64');

    const secretParams = {
      Name: 'MyPrivateKey',
      SecretBinary: base64Secret,
      Description: 'Private key for API authentication'
    };

    const response = await secretsManager.createSecret(secretParams).promise();
    console.log("Binary secret created successfully! ARN:", response.ARN);
  } catch (err) {
    console.error("Error creating binary secret:", err);
  }
}

// Run the function
createBinarySecret();

Note: You can also create secrets via the AWS Console, AWS CLI, or CloudFormation, but the above examples show how to do it programmatically in Node.js.

内容的提问来源于stack exchange，提问作者insoftservice