I want to connect to AWS DocumentDB cluster from AWS Lambda (using Java). TLS is enabled for cluster so I need to import the certificates to truststore. Not able to find any document around this on how to proceed.
2
-
Googling "aws documentdb lambda java" => docs.aws.amazon.com/documentdb/latest/developerguide/…luk2302– luk23022020-08-02 15:08:38 +00:00Commented Aug 2, 2020 at 15:08
-
It suggests to import the certificates via shell script. But for AWS lambda we will not have access to truststoreVishal Jamdade– Vishal Jamdade2020-08-03 03:22:55 +00:00Commented Aug 3, 2020 at 3:22
Add a comment
|
2 Answers
You need to store https://s3.amazonaws.com/rds-downloads/rds-combined-ca-bundle.pem file to certstore before connecting to documentDB otherwise it will not work.
Their are many ways to import certificates using code during runtime.
Ref : How to import a .cer certificate into a java keystore?
After importing cert, you can connect to documentDB, reference code can be found here :-
https://docs.aws.amazon.com/documentdb/latest/developerguide/connect_programmatically.html
1 Comment
Vishal Jamdade
So you are suggesting to import the certificate during runtime in AWS lambda environment ?
I encourage you to avoid packaging the cert as part of your Lambda code. Instead you can get it dynamically from Amazon S3. This will avoid future issues in the future when the cert is rotate. Following a python example:
#Function to download the current docdb certificate
def getDocDbCertificate():
try:
print('Certificate')
clientS3.Bucket('rds-downloads').download_file('rds-combined-ca-bundle.pem', '/tmp/rds-combined-ca-bundle.pem')
except botocore.exceptions.ClientError as e:
if e.response['Error']['Code'] == "404":
print("The object does not exist.")
else:
raise
For you to do that, the role of your Lambda needs permissions to get the object from S3 and S3 access via the Internet or a VPC endpoint.
