Add authentication method for Lambda Functions using SnapStart

[roamingthings]

The Secrets Manager Agent requires a session token in the X-Aws-Parameters-Secrets-Token header. When a Lambda Function is using SnapStart this token is not available. Instead container credentials are used.

For this reason, it's currently not possible to use the AWS Secrets Manager Agent with Lambda Functions that have SnapStart enabled.

Here is a code snipped that demonstrates the issue:

try {
    var awsSessionToken = System.getenv("AWS_SESSION_TOKEN");
    var request = HttpRequest.newBuilder()
                          .GET()
                          .uri(URI.create("http://localhost:2773/secretsmanager/get?secretId=<theSecretId>")
                          .headers("X-Aws-Parameters-Secrets-Token", awsSessionToken) // This will raise a NullPointerException with the SnapStart version and will work with the $LATEST or main version of the lambda
                          .build();
    var httpResponse = httpClient.send(request, HttpResponse.BodyHandlers.ofString());
    log.info("Response: {}", httpResponse.body());
} catch (Exception e) {
    log.error("Error while calling secrets manager", e);
    throw new RuntimeException(e);
}

In case the header is omitted the agent will reject the request as documented.

[simonmarty]

The token used in the header does not need to be a session token. We accept AWS_SESSION_TOKEN as a environment variable to source the token value in order to provide intercompatibility between this agent and the AWS Parameters and Secrets Lambda Extension.

Prefer the use of environment variable AWS_TOKEN so set the agent SSRF token in your case.