awslabs / amazon-aurora-postgres-monitoring Goto Github PK

Our VPC requires the use of our managed HTTPS proxy for egress. I tried every possible way to set an environment variable to get the lambda to use the proxy. Nothing worked. I had to modify the code like this:

    https_proxy = os.environ.get('HTTPS_PROXY')
    proxy_definitions = {
        'https': https_proxy,
    }

    config = Config(region_name=aws_region, connect_timeout=boto_timeout, retries={'max_attempts': boto_retries}, proxies_config={'proxy_use_forwarding_for_https': True}, proxies=proxy_definitions)

The proxy_use_forwarding_for_https is the critical bit of config. It might work without the proxies and be able to get the proxy directly from the environment variable, but I didn't test that combination. I just know that nothing worked until I set proxy_use_forwarding_for_https to True.

I'm sure this could all be made more generic so that you could control the proxy config without code changes, but I just wanted to share what worked for me.

The example CLI command to encrypt the password is not correct. You need to base64-encode the password before passing it to aws kms encrypt.

If you're lucky, and your password string is not base64, you'll get an error when you call aws kms encrypt, and this will all be obvious.

But it's possible that your password actually is a valid base64 string (e.g. "test"), in which case aws kms encrypt will accept it, decode it into a binary string and encrypt that. When the lambda decrypts it, it will get the binary string, not the password string you want.