Deploying DSM-Accelerator on AWS Lambda

1.0 Introduction

Welcome to the Fortanix Data Security Manager (DSM) Accelerator Webservice User Guide. The Fortanix Data Security Manager (DSM) - Accelerator Webservice distribution is packaged in a way that makes it versatile for multiple different strategies.

This article illustrates the procedures to deploy the Fortanix DSM-Accelerator Webservice on AWS Lambda.

2.0 Overview

The AWS Lambda functions operate on an event-driven architecture, while the Fortanix DSM-Accelerator Webservice primarily follows a REST-based paradigm. A new binary has been introduced to ensure seamless operation of the Fortanix DSM-Accelerator Webservice within the Lambda environment, despite the architectural disparities. This DSM-Accelerator Webservice image is compatible and can be used in both container deployments and Lambda function deployments, ensuring a consistent experience across different deployment scenarios.

NOTE
It is important to note that DSM-Accelerator Webservice images released before version 4.22 do not include this binary, which means that this deployment will not function correctly on those earlier versions.

For more information, refer to the awslabs/aws-lambda-rust-runtime documentation. This project includes all the essential components necessary for compiling a Rust binary that is compatible with Lambda.

architecture.png

Figure 1: Workflow

NOTE
This binary differs from the Fortanix DSM-Accelerator Webservice binary and is specifically intended for use with the Lambda service. As this binary resides within the same container image, additional steps must be undertaken during the container image deployment process.

3.0 Deployment Procedure

NOTE
Before performing the deployment steps, ensure that the Fortanix DSM-Accelerator Webservice image is available in your Elastic Container Repository (ECR). For more information how to push a docker image to ECR, refer to https://docs.aws.amazon.com/AmazonECR/latest/userguide/docker-push-ecr-image.html.

Perform the following steps to utilize the Fortanix DSM-Accelerator image and publish it to their ECR for deploying a Lambda function:

  1. Go to the AWS Lambda Home page.
  2. Click the Create Function button.
  3. Select the radio button for Container Image option as the deployment method, as the image will be sourced from ECR.
  4. Set the function name and choose the ECR image.
  5. Configure the necessary permissions.
    For more information, refer to the https://docs.aws.amazon.com/lambda/latest/dg/images-create.html#gettingstarted-images-permissions.
  6. Click the Create Function button.

After successful creation, you can access the function's details page.

4.0 Configuring the Image Entrypoint

Lambda provides the capability to override the ENTRYPOINT specified in the Docker file, allowing the utilization of the DSM-Accelerator Webservice image while ensuring that the Lambda binary is executed.
Perform the following steps to configure the image entrypoint:

  1. Scroll to the Image Configuration section in the Image tab of the function page.
  2. Click the Edit button to override the entrypoint to /app/dsma-lambda.
    For more information, refer to the https://docs.aws.amazon.com/lambda/latest/dg/images-create.html#images-parms.
NOTE
The command-line arguments can also be overridden here; the DSM-Accelerator Webservice CLI flags, such as, API_ENDPOINT can be set as arguments. However, in this deployment, ENV variables will be employed for this purpose.

5.0 Configure the Environment Variables

Perform the following steps to configure the environment variables:

  1. Navigate to the Configuration tab and select the Environment Variables option.
  2. Click the Edit button.
  3. Update the value for the FORTANIX_API_ENDPOINT environment variable to specify the DSM-Accelerator Webservice endpoint.

For more information, refer to the https://docs.aws.amazon.com/lambda/latest/dg/configuration-envvars.html.

6.0 Create Function URL

A function URL facilitates interaction with DSM-Accelerator Webservice APIs using the REST interface. The function URL effectively serves as the host for the Fortanix DSM-Accelerator Webservice and can be employed in REST calls accordingly. For more information, refer to the https://docs.aws.amazon.com/lambda/latest/dg/urls-configuration.html#create-url-console.

To monitor DSM-Accelerator Webservice logs and function performance, similar to running a standalone DSM-Accelerator Webservice container, you can utilize CloudWatch. For more information, refer to the https://docs.aws.amazon.com/lambda/latest/dg/monitoring-cloudwatchlogs.html.

You can now seamlessly operate the Fortanix DSM-Accelerator Webservice container image as an AWS Lambda Function within the AWS ecosystem.

7.0 Examples for Other DSM-Accelerator Offerings

This section describes examples of other DSM-Accelerator offerings for AWS Lambda configuration.

7.1 AWS Lambda for JCE Provider

Click the package below to download the DSM-Accelerator JCE Provider example for AWS Lambda:

To know the build and deployment steps, refer to the README file available in the package.

NOTE
The PKCS#11 client has not been tested on AWS Lambda.

Comments

Please sign in to leave a comment.

Was this article helpful?
0 out of 0 found this helpful