At the moment, our lambdas fetch our database credentials using GetSecretValue()
… this takes approx. 700-800 ms (this seems very slow to me, but I’ve no real frame of reference). Anyway, because this is so slow and thankfully most of our lambdas are provisioned, so we’ve been storing the credentials in a static Javascript variable (essentially a poor-man’s cache) which means that only the first lambda invocation wears the cost of hitting Secrets Manager.
However, we’re now implementing secret rotation which means my cache can become stale. I can see a couple of options (none of which are very appetising):
• Remove caching and every lambda invocation has a slow hit to Secrets Manager. Slow, plus a cost impact - all to cater for a once-in-a-30-day event.
• Add some sort of TTL to my cache. Better, but is really just reducing the window of the possible problem.
• Add some retry logic to Sequelize that recognises that the cached password is no longer valid, fetches the new password, saves in cache, and retries. Seems like the “best” option, but also seems like a lot of error-prone development and testing.
How are folks handling this particular problem? Is there a better way that I’ve missed?