I want to connect to AWS DocumentDB cluster from AWS Lambda (using Java). TLS is enabled for cluster so I need to import the certificates to truststore. Not able to find any document around this on how to proceed.
Asked
Active
Viewed 1,530 times
1
-
Googling "aws documentdb lambda java" => https://docs.aws.amazon.com/documentdb/latest/developerguide/connect_programmatically.html – luk2302 Aug 02 '20 at 15:08
-
It suggests to import the certificates via shell script. But for AWS lambda we will not have access to truststore – Vishal Jamdade Aug 03 '20 at 03:22
2 Answers
1
You need to store https://s3.amazonaws.com/rds-downloads/rds-combined-ca-bundle.pem file to certstore before connecting to documentDB otherwise it will not work.
Their are many ways to import certificates using code during runtime.
Ref : How to import a .cer certificate into a java keystore?
After importing cert, you can connect to documentDB, reference code can be found here :-
https://docs.aws.amazon.com/documentdb/latest/developerguide/connect_programmatically.html
Atul Sharma
- 9,397
- 10
- 38
- 65
-
So you are suggesting to import the certificate during runtime in AWS lambda environment ? – Vishal Jamdade Aug 03 '20 at 03:17
0
I encourage you to avoid packaging the cert as part of your Lambda code. Instead you can get it dynamically from Amazon S3. This will avoid future issues in the future when the cert is rotate. Following a python example:
#Function to download the current docdb certificate
def getDocDbCertificate():
try:
print('Certificate')
clientS3.Bucket('rds-downloads').download_file('rds-combined-ca-bundle.pem', '/tmp/rds-combined-ca-bundle.pem')
except botocore.exceptions.ClientError as e:
if e.response['Error']['Code'] == "404":
print("The object does not exist.")
else:
raise
For you to do that, the role of your Lambda needs permissions to get the object from S3 and S3 access via the Internet or a VPC endpoint.
herbertgoto
- 339
- 1
- 5