How do I create a rotation function with an AWS Secrets Manager secret for an unsupported database?
Last updated: 2020-10-19
How can I create an AWS Lambda function to rotate AWS Secrets Manager secrets for other databases or third-party services?
Short description
Secrets Manager secrets created with Amazon Relational Database Service (Amazon RDS) supported databases and other AWS support services automatically create the Lambda rotation. For unsupported AWS databases and services, you can manually create the Lambda function.
Resolution
Use the generic rotation function template to rotate secrets. Before you enable rotation for a secret for another database or service, you must create the code for the Lambda rotation function.
Important:
- Before you begin, be sure that you have installed and configured the AWS Command Line Interface (AWS CLI).
- If you receive errors when running AWS CLI commands, make sure that you’re using the most recent version of the AWS CLI.
Create an AWS CloudFormation change set based on the generic rotation function template
Run the AWS CLI command create-cloud-formation-change-set for these values:
--stack-name: The name of the AWS CloudFormation stack that you create a change set for.
--parameter-override: The AWS Secrets Manager Regional endpoints for your Region, and the name of the Lambda rotation function that the template creates.
aws serverlessrepo create-cloud-formation-change-set --application-id arn:aws:serverlessrepo:us-east-1:297356227824:applications/SecretsManagerRotationTemplate --stack-name MyLambdaCreationStack --parameter-overrides Name=endpoint,Value=https://secretsmanager.REGION.amazonaws.com Name=functionName,Value=MySecretsManagerRotationFunction --capabilities CAPABILITY_IAM CAPABILITY_RESOURCE_POLICY
Note: Make sure to use the Amazon Resource Name (ARN) of arn:aws:serverlessrepo:us-east-1:297356227824:applications/SecretsManagerRotationTemplate exactly as shown.
An AWS CloudFormation change set is created for the template. The AWS CloudFormation stack name begins with aws-serverless-repository- and the stack status code is set to REVIEW_IN_PROGRESS.
Update a stack using the change set
The create-cloud-formation-change-set command returns the ApplicationId, ChangeSetId, SemanticVersion, and StackId. To update the stack status, you must provide the ChangeSetId to the change-set-name. The change-set-name produces no output and changes the stack status code to CREATE_COMPLETE. The AWS CloudFormation stack creates the Lambda function and an IAM role that's attached to the Lambda function with the required permissions.
Run the following AWS CLI command:
aws cloudformation execute-change-set --change-set-name arn:aws:cloudformation:region:123456789012:changeSet/EXAMPLE1-90ab-cdef-fedc-ba987EXAMPLE/EXAMPLE2-90ab-cdef-fedc-ba987EXAMPLE
Verify that the Lambda functions created
Run the following AWS CLI command:
aws lambda list-functions
Output
{
...
"FunctionName": "MySecretsManagerRotationFunction",
...
"FunctionArn": "arn:aws:lambda:region:123456789012:function:MySecretsManagerRotationFunction",
...
}
Note: The name of the Lambda function is the value of function name specified in --parameter-overrides.
Configure the Lambda function for Amazon Virtual Private Cloud (Amazon VPC) access
If your database or service resides in an Amazon VPC, run the update-function-configuration command similar to the following. The update-function-configuration command configures the Lambda rotation function to run in the VPC. Be sure to provide the VPC subnet IDs and security group IDs. For more information, see Configuring a Lambda function to access resources in an Amazon VPC.
Note: If your database or service doesn't reside in an Amazon VPC, skip this step.
$ aws lambda update-function-configuration --function-name your-lambda-function \
--vpc-config SubnetIds=subnet-076c28105d486f3bd,subnet-0af00c796ccdc725f,SecurityGroupIds=sg-0aed64f81acc4c037
Create a VPC endpoint for the Secrets Manager service
If the VPC with your database or service and Lambda rotation function doesn't have internet access, then configure the VPC with a private service endpoint for Secrets Manager. This enables the rotation function to access Secrets Manager at an endpoint within the VPC. Run the create-vpc-endpoint command similar to the following:
Note: If your database or service does not reside in an Amazon VPC, skip this step.
$ aws ec2 create-vpc-endpoint --vpc-id vpc-0abb11f5a28a8abe7 --vpc-endpoint-type Interface \
--service-name com.amazonaws.your-region.secretsmanager --subnet-ids subnet-076c28105d486f3bd subnet-0af00c796ccdc725f \
--security-group-ids sg-0bacf4bbed67e4df5
Set up network connectivity between the Lambda function and database or service
Be sure that the Lambda function can route to your database or service over the required network ports. This varies depending on the database or service, and its associated VPC configuration.
Note: If your database or service does not reside in an Amazon VPC, skip this step.
Customize the rotation function for your use case
The rotation template implements the createSecret and finishSecret steps for you. The setSecret and testSecret steps require manual implementation for your use case and database. For more information, see The steps of the Lambda rotation function.
Enable rotation for your secret
Specify the number of days between rotations with the parameters --rotation-rules and AutomaticallyAfterDays:
aws secretsmanager rotate-secret --secret-id production/MyAwesomeAppSecret --rotation-lambda-arn arn:aws:lambda:region:123456789012:function:MySecretsManagerRotationFunction --rotation-rules AutomaticallyAfterDays=7
For more information, see Rotating AWS Secrets Manager secrets for other databases or services.
Related information
Did this article help?
Do you need billing or technical support?