RavenSettings values, you can use the Key/Value JSON storage
using a secret named
RavenSettings that the Lambda function will load.
Learn more about adding secrets to Secrets Manager.
There are two ways to specify certificates using
CertPem: Store PEM Certificate in Secrets Manager
The AWS template for RavenDB can load certificates through the
JSON configuration, supported through X502Certificate2.CreateFromPem.
CertPublicKeyFilePath JSON key should be set to the relative path to the
public key certificate, relative to the
.csproj file. This should be copied to the
output and publish directories automatically.
CertPrivateKey JSON key should be set to a value containing the base64-encoded
contents of the
.key file from the RavenDB client certificate package.
RavenSettings key configuration value:
// ... other settings
Settings will be merged with
so you only need to specify settings you wish to overwrite.
CertBytes: Store PFX Certificate in Secrets Manager
The AWS template for RavenDB can also load certificates through the
secret setting. This means the client certificate needs to be stored in binary
in AWS Secrets Manager. In the Secrets Manager console, you can add JSON and
plaintext secrets. Binary secrets must be uploaded through the AWS CLI.
aws secretsmanager create-secret \
--name RavenSettings.CertBytes \
--description "RavenDB Client Certificate file" \
We then need to grant access to the IAM role used by the Lambda function (created above).
Apply a Resource Policy
First, create a file
certpolicy.json with the following AWS policy:
<ACCOUNT_ID> with your AWS account ID and
<LAMBDA_FUNCTION_ROLE> with the
above-created role assigned to the Lambda function.
aws secretsmanager put-resource-policy command to set the resource policy
while also verifying the secret is not broadly accessible:
aws secretsmanager put-resource-policy \
--secret-id RavenSettings.CertBytes \
--resource-policy file://certpolicy.json \
The certificate file contents is now stored and will be accessed by the Lambda function on startup.
Verifying the Secret is Loaded
Test invoking the Lambda function again, which should access AWS Secrets Manager successfully
and load the X.509 certificate to use with RavenDB.