[PR #5591] RFC: AWS Serverless Support #7275

New Issue

GiteaMirror · 2026-03-07T21:14:05-06:00

GiteaMirror commented

2026-03-07 21:14:05 -06:00

📋 Pull Request Information

Original PR: https://github.com/dani-garcia/vaultwarden/pull/5591
Author: @txase
Created: 2/14/2025
Status: 🔄 Open

Base: main ← Head: main

📝 Commits (5)

3e886e6 AWS Aurora DSQL support
9a9786e Add AWS S3 support for non-temporary files
ed26fa3 Add AWS SES for sending emails
bdab7b4 Copy add_manage migration for DSQL
f4a40cb Build and deploy support for AWS

📊 Changes

36 files changed (+3172 additions, -191 deletions)

View changed files

➕ .github/workflows/lambda.yml (+49 -0)
📝 Cargo.lock (+897 -11)
📝 Cargo.toml (+10 -0)
➕ CargoLambda.toml (+7 -0)
➕ aws/.gitignore (+3 -0)
➕ aws/README.md (+53 -0)
➕ aws/deploy.sh (+9 -0)
➕ aws/samconfig.toml (+12 -0)
➕ aws/template.yaml (+582 -0)
📝 build.rs (+13 -1)
➕ migrations/dsql/2024-12-30-100000_create_tables/metadata.toml (+1 -0)
➕ migrations/dsql/2024-12-30-100000_create_tables/up.sql (+281 -0)
➕ migrations/dsql/2025-01-09-172300_add_manage/down.sql (+0 -0)
➕ migrations/dsql/2025-01-09-172300_add_manage/metadata.toml (+1 -0)
➕ migrations/dsql/2025-01-09-172300_add_manage/up.sql (+8 -0)
📝 src/api/admin.rs (+4 -4)
📝 src/api/core/ciphers.rs (+23 -24)
📝 src/api/core/emergency_access.rs (+1 -1)
📝 src/api/core/organizations.rs (+7 -6)
📝 src/api/core/sends.rs (+27 -18)

...and 16 more files

📄 Description

This draft PR contains a POC of support for deploying an instance of Vaultwarden into an AWS account using entirely "serverless" services (likely falling within the free-tier usage limits as well). I'm looking for feedback and agreement by Vaultwarden maintainers on whether these contributions could be merged into vaultwarden (with further refinement).

Architecture

CloudFront CDN
├─ API Lambda Function
│  ├─ Data S3 Bucket
│  ├─ Aurora DSQL Database
│  └─ Amazon Simple Email Service (SES)
└─ Web-vault static assets S3 Bucket

All of this is implemented in the PR behind feature flags: dsql, s3, and ses. All three can be enabled together via the aws feature flag.

Unimplemented Functionality

I believe all functionality, except as listed below, is functional. But I'm new to vaultwarden and may have missed something along the way. I've not found any significant issues with my own usage due to this missing functionality, however.

Background jobs (e.g. to delete expired data)
Websockets for events

Open Questions / Concerns

Aurora DSQL is in preview. It's mostly compatible with Postgres, but it has a few incompatibilities that could be an issue if they remain at GA:
- Foreign keys (FKs) are not supported. However, after auditing the code I did not find any Postgres functionality that requires FKs (unlike for sqlite and Mysql). It would be nice to have it to feel safer for data consistency, but doesn't appear to be necessary. The seed migration file in this PR is a dump from a local Postgres vaultwarden database that I then stripped FK constraints from. This is a known documented issue with the DSQL preview, and it is unclear if it will be resolved before GA.
- DDL statements cannot be executed in a transaction, so migrations are a bit more fraught. I've yet to have a migration fail, though. This is a known documented issue with the DSQL preview, and it is unclear if it will be resolved before GA.
- Tables can be altered to add rows, but new rows cannot have constraints. This is an undocumented issue I found, and gives me more concern that further migration difficulties will arise over time. Hopefully this will be resolved before GA.
API Lambda Function settings:
- MemorySize is set to 3008 MB. This is the largest possible Function size for new accounts (which is an undocumented AWS limit). Cost is linearly related to this value, but lower values mean longer cold start times, especially when creating TLS connections to external services. For a production environment with a lot of traffic this would be tuned to a minimal amount that achieves desired performance characteristics. Here, I set it to the max because traffic will generally be minimal for private usage, and cost will likely fit under the free tier.
- Timeout is set to 5 minutes. Cold start times seem to average about 3-4 seconds. Warmed functions (or cold functions after the init work) generally take less than a second to complete (if no external services need to be invoked, warmed functions generally complete in under 10 ms). Importing my personal vault (~600 items) took just under 30 seconds. A 5 minute limit seems large, but I don't want to cause issues for anyone importing or exporting a sizable vault.
Attachment size limit: 6 MB. With client changes it would be possible to upload directly from clients to S3 via signed URLs. This is how the official Bitwarden service works, but they use the Azure Blob Storage service instead of AWS S3. Azure uses POST instead of S3's PUT to upload, and although S3 also supports POST with signed URLs the data must be form-encoded. This means existing Bitwarden clients cannot upload directly to S3, and must instead upload through the API Lambda Function. Unfortunately, the AWS Lambda service has a 6 MB size limit for request payloads. Note: This only applies to uploads, downloads are streamed from S3 directly via signed GET URLs which do not have a size limit.

Deployment Instructions

See the aws/README.md file in this PR.

Proposed Plan of Attack

This PR is too large to attempt to review and merge with sanity. With agreement from Vaultwarden maintainers in comments below, I propose developing and merging the following as separate PRs in sequence:

Add the persistent_fs module, migrating existing filesystem functionality into a "local" backend implementation. See src/persistent_fs/mod.rs and src/persistent_fs/local.rs. This would not change any functionality; it would simply rearchitect file access in preparation for the addition of an S3 backend.
Add the S3 persistent FS backend implementation
Add SES support for sending emails
Add DSQL support, with some means for denoting it is beta or unstable functionality (e.g. label the feature flag dsql-beta)
Add a GitHub Actions workflow to build a Lambda function package on release
- In an ideal case, the vaultwarden project would also own an AWS account with regional S3 Buckets to upload releases to. This would simplify deployment, allowing users to deploy to their own AWS accounts without having to download and upload function code packages themselves. I can help set this up if needed.
Add the CloudFormation template and deployment instructions

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/dani-garcia/vaultwarden/pull/5591 **Author:** [@txase](https://github.com/txase) **Created:** 2/14/2025 **Status:** 🔄 Open **Base:** `main` ← **Head:** `main` --- ### 📝 Commits (5) - [`3e886e6`](https://github.com/dani-garcia/vaultwarden/commit/3e886e670e7e026c188af1d856ca8ae2cc3113b5) AWS Aurora DSQL support - [`9a9786e`](https://github.com/dani-garcia/vaultwarden/commit/9a9786e3701d0f8ada8c4a8f1f917528f5a65de7) Add AWS S3 support for non-temporary files - [`ed26fa3`](https://github.com/dani-garcia/vaultwarden/commit/ed26fa36402f3ae3f35258ab91a790ff4c70e0c7) Add AWS SES for sending emails - [`bdab7b4`](https://github.com/dani-garcia/vaultwarden/commit/bdab7b49ee1037d0f23570ae8c3884aba91ea240) Copy add_manage migration for DSQL - [`f4a40cb`](https://github.com/dani-garcia/vaultwarden/commit/f4a40cba266fe9036ba45341f4cd18939e9b521f) Build and deploy support for AWS ### 📊 Changes **36 files changed** (+3172 additions, -191 deletions) <details> <summary>View changed files</summary> ➕ `.github/workflows/lambda.yml` (+49 -0) 📝 `Cargo.lock` (+897 -11) 📝 `Cargo.toml` (+10 -0) ➕ `CargoLambda.toml` (+7 -0) ➕ `aws/.gitignore` (+3 -0) ➕ `aws/README.md` (+53 -0) ➕ `aws/deploy.sh` (+9 -0) ➕ `aws/samconfig.toml` (+12 -0) ➕ `aws/template.yaml` (+582 -0) 📝 `build.rs` (+13 -1) ➕ `migrations/dsql/2024-12-30-100000_create_tables/metadata.toml` (+1 -0) ➕ `migrations/dsql/2024-12-30-100000_create_tables/up.sql` (+281 -0) ➕ `migrations/dsql/2025-01-09-172300_add_manage/down.sql` (+0 -0) ➕ `migrations/dsql/2025-01-09-172300_add_manage/metadata.toml` (+1 -0) ➕ `migrations/dsql/2025-01-09-172300_add_manage/up.sql` (+8 -0) 📝 `src/api/admin.rs` (+4 -4) 📝 `src/api/core/ciphers.rs` (+23 -24) 📝 `src/api/core/emergency_access.rs` (+1 -1) 📝 `src/api/core/organizations.rs` (+7 -6) 📝 `src/api/core/sends.rs` (+27 -18) _...and 16 more files_ </details> ### 📄 Description This draft PR contains a POC of support for deploying an instance of Vaultwarden into an AWS account using entirely "serverless" services (likely falling within the free-tier usage limits as well). I'm looking for feedback and agreement by Vaultwarden maintainers on whether these contributions could be merged into vaultwarden (with further refinement). ### Architecture ``` CloudFront CDN ├─ API Lambda Function │ ├─ Data S3 Bucket │ ├─ Aurora DSQL Database │ └─ Amazon Simple Email Service (SES) └─ Web-vault static assets S3 Bucket ``` All of this is implemented in the PR behind feature flags: `dsql`, `s3`, and `ses`. All three can be enabled together via the `aws` feature flag. ### Unimplemented Functionality I believe all functionality, except as listed below, is functional. But I'm new to vaultwarden and may have missed something along the way. I've not found any significant issues with my own usage due to this missing functionality, however. * Background jobs (e.g. to delete expired data) * Websockets for events ### Open Questions / Concerns * Aurora DSQL is in preview. It's mostly compatible with Postgres, but it has a few incompatibilities that could be an issue if they remain at GA: * Foreign keys (FKs) are not supported. However, after auditing the code I did not find any Postgres functionality that requires FKs (unlike for sqlite and Mysql). It would be nice to have it to feel safer for data consistency, but doesn't appear to be necessary. The seed migration file in this PR is a dump from a local Postgres vaultwarden database that I then stripped FK constraints from. This is a known documented issue with the DSQL preview, and it is unclear if it will be resolved before GA. * DDL statements cannot be executed in a transaction, so migrations are a bit more fraught. I've yet to have a migration fail, though. This is a known documented issue with the DSQL preview, and it is unclear if it will be resolved before GA. * Tables can be altered to add rows, but new rows cannot have constraints. This is an undocumented issue I found, and gives me more concern that further migration difficulties will arise over time. Hopefully this will be resolved before GA. * API Lambda Function settings: * MemorySize is set to 3008 MB. This is the largest possible Function size for new accounts (which is an undocumented AWS limit). Cost is linearly related to this value, but lower values mean longer cold start times, especially when creating TLS connections to external services. For a production environment with a lot of traffic this would be tuned to a minimal amount that achieves desired performance characteristics. Here, I set it to the max because traffic will generally be minimal for private usage, and cost will likely fit under the free tier. * Timeout is set to 5 minutes. Cold start times seem to average about 3-4 seconds. Warmed functions (or cold functions after the init work) generally take less than a second to complete (if no external services need to be invoked, warmed functions generally complete in under 10 ms). Importing my personal vault (~600 items) took just under 30 seconds. A 5 minute limit seems large, but I don't want to cause issues for anyone importing or exporting a sizable vault. * Attachment size limit: 6 MB. With client changes it would be possible to upload directly from clients to S3 via signed URLs. This is how the official Bitwarden service works, but they use the Azure Blob Storage service instead of AWS S3. Azure uses `POST` instead of S3's `PUT` to upload, and although S3 also supports `POST` with signed URLs the data must be form-encoded. This means existing Bitwarden clients cannot upload directly to S3, and must instead upload through the API Lambda Function. Unfortunately, the AWS Lambda service has a 6 MB size limit for request payloads. *Note: This only applies to uploads, downloads are streamed from S3 directly via signed `GET` URLs which do not have a size limit.* ### Deployment Instructions See the aws/README.md file in this PR. ### Proposed Plan of Attack This PR is too large to attempt to review and merge with sanity. With agreement from Vaultwarden maintainers in comments below, I propose developing and merging the following as separate PRs in sequence: - [x] Add the `persistent_fs` module, migrating existing filesystem functionality into a "local" backend implementation. See `src/persistent_fs/mod.rs` and `src/persistent_fs/local.rs`. This would not change any functionality; it would simply rearchitect file access in preparation for the addition of an S3 backend. - [x] Add the S3 persistent FS backend implementation - [ ] Add SES support for sending emails - [ ] Add DSQL support, with some means for denoting it is beta or unstable functionality (e.g. label the feature flag `dsql-beta`) - [ ] Add a GitHub Actions workflow to build a Lambda function package on release - [ ] In an ideal case, the vaultwarden project would also own an AWS account with regional S3 Buckets to upload releases to. This would simplify deployment, allowing users to deploy to their own AWS accounts without having to download and upload function code packages themselves. I can help set this up if needed. - [ ] Add the CloudFormation template and deployment instructions --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>

GiteaMirror added the pull-request label 2026-03-07 21:14:05 -06:00

Sign in to join this conversation.

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/vaultwarden#7275