How do I create a rotation function with an AWS Secrets Manager secret for an unsupported database?

Last updated: 2020-10-19

How can I create an AWS Lambda function to rotate AWS Secrets Manager secrets for other databases or third-party services?

Short description

Secrets Manager secrets created with Amazon Relational Database Service (Amazon RDS) supported databases and other AWS support services automatically create the Lambda rotation. For unsupported AWS databases and services, you can manually create the Lambda function.


Use the generic rotation function template to rotate secrets. Before you enable rotation for a secret for another database or service, you must create the code for the Lambda rotation function.


Create an AWS CloudFormation change set based on the generic rotation function template

Run the AWS CLI command create-cloud-formation-change-set for these values:

--stack-name: The name of the AWS CloudFormation stack that you create a change set for.

--parameter-override: The AWS Secrets Manager Regional endpoints for your Region, and the name of the Lambda rotation function that the template creates.

aws serverlessrepo create-cloud-formation-change-set --application-id arn:aws:serverlessrepo:us-east-1:297356227824:applications/SecretsManagerRotationTemplate --stack-name MyLambdaCreationStack --parameter-overrides Name=endpoint,Value= Name=functionName,Value=MySecretsManagerRotationFunction --capabilities CAPABILITY_IAM CAPABILITY_RESOURCE_POLICY

Note: Make sure to use the Amazon Resource Name (ARN) of arn:aws:serverlessrepo:us-east-1:297356227824:applications/SecretsManagerRotationTemplate exactly as shown.

An AWS CloudFormation change set is created for the template. The AWS CloudFormation stack name begins with aws-serverless-repository- and the stack status code is set to REVIEW_IN_PROGRESS.

Update a stack using the change set

The create-cloud-formation-change-set command returns the ApplicationId, ChangeSetId, SemanticVersion, and StackId. To update the stack status, you must provide the ChangeSetId to the change-set-name. The change-set-name produces no output and changes the stack status code to CREATE_COMPLETE. The AWS CloudFormation stack creates the Lambda function and an IAM role that's attached to the Lambda function with the required permissions.

Run the following AWS CLI command:

aws cloudformation execute-change-set --change-set-name arn:aws:cloudformation:region:123456789012:changeSet/EXAMPLE1-90ab-cdef-fedc-ba987EXAMPLE/EXAMPLE2-90ab-cdef-fedc-ba987EXAMPLE

Verify that the Lambda functions created

Run the following AWS CLI command:

aws lambda list-functions

    "FunctionName": "MySecretsManagerRotationFunction",
    "FunctionArn": "arn:aws:lambda:region:123456789012:function:MySecretsManagerRotationFunction",

Note: The name of the Lambda function is the value of function name specified in --parameter-overrides.

Configure the Lambda function for Amazon Virtual Private Cloud (Amazon VPC) access

If your database or service resides in an Amazon VPC, run the update-function-configuration command similar to the following. The update-function-configuration command configures the Lambda rotation function to run in the VPC. Be sure to provide the VPC subnet IDs and security group IDs. For more information, see Configuring a Lambda function to access resources in an Amazon VPC.

Note: If your database or service doesn't reside in an Amazon VPC, skip this step.

$ aws lambda update-function-configuration --function-name your-lambda-function \
--vpc-config SubnetIds=subnet-076c28105d486f3bd,subnet-0af00c796ccdc725f,SecurityGroupIds=sg-0aed64f81acc4c037

Create a VPC endpoint for the Secrets Manager service

If the VPC with your database or service and Lambda rotation function doesn't have internet access, then configure the VPC with a private service endpoint for Secrets Manager. This enables the rotation function to access Secrets Manager at an endpoint within the VPC. Run the create-vpc-endpoint command similar to the following:

Note: If your database or service does not reside in an Amazon VPC, skip this step.

$ aws ec2 create-vpc-endpoint --vpc-id  vpc-0abb11f5a28a8abe7 --vpc-endpoint-type Interface \
--service-name com.amazonaws.your-region.secretsmanager  --subnet-ids subnet-076c28105d486f3bd subnet-0af00c796ccdc725f \
--security-group-ids sg-0bacf4bbed67e4df5

Set up network connectivity between the Lambda function and database or service

Be sure that the Lambda function can route to your database or service over the required network ports. This varies depending on the database or service, and its associated VPC configuration.

Note: If your database or service does not reside in an Amazon VPC, skip this step.

Customize the rotation function for your use case

The rotation template implements the createSecret and finishSecret steps for you. The setSecret and testSecret steps require manual implementation for your use case and database. For more information, see The steps of the Lambda rotation function.

Enable rotation for your secret

Specify the number of days between rotations with the parameters --rotation-rules and AutomaticallyAfterDays:

aws secretsmanager rotate-secret --secret-id production/MyAwesomeAppSecret --rotation-lambda-arn arn:aws:lambda:region:123456789012:function:MySecretsManagerRotationFunction --rotation-rules AutomaticallyAfterDays=7