An event triggers the instantiation of an AWS Lambda function. Upon
bootstrap, the Vault AWS Lambda Extension makes a request to obtain secrets from a Vault
deployment.
The request is an HTTPS API call on TCP port 8200 pointing to a
well-known DNS name that represent the Vault deployment.
A local Router forwards the traffic to a Transit Gateway using an
attachment. A Transit Gateway accepts attachments from AWS VPCs, AWS Direct Connect, WAN
network devices, or VPN Connections.
The AWS Transit Gateway forwards traffic to the trusted HCP HVN
attachment.
Upon receiving a service request, Vault uses its AWS Authentication
Engine configuration to request validation of the callers identity. An account principal in
the localized AWS Account AWS IAM vets the identity.
With a valid identity, Vault matches expressed policies that provide
privileges to one or more secrets engines. The secrets engine provides a payload with the
secrets material to the original caller.
The extension writes the secrets to a private location that is
accessible in the Lambda Execution Environment and then signals for readiness.
The AWS Lambda runtime function reads the secrets and uses the
payload for a front-end or back-end operation.
