How do I create a rotation function with an AWS Secrets Manager secret for an unsupported database?

Last updated: 2020-02-26

How can I create an AWS Lambda function to rotate AWS Secrets Manager secrets for other databases or third-party services?

Short Description

Secrets Manager secrets created with Amazon Relational Database Service (Amazon RDS) supported databases and other AWS support services automatically create the Lambda rotation. For unsupported AWS databases and services, you can manually create the Lambda function.


Use the Generic Rotation Function Template to rotate secrets. Before you enable rotation for a secret for another database or service, you must create the code for the Lambda rotation function.

Create an AWS CloudFormation change set based on the generic rotation function template

Important: Before you begin, be sure you install and configure the AWS Command Line Interface (AWS CLI).

Run the AWS CLI command create-cloud-formation-change-set for these values:

--stack-name The name of the AWS CloudFormation that you create a change set for.

--parameter-override The AWS Secrets Manager endpoint URL for your Region, and the name of the Lambda rotation function that the template creates.

aws serverlessrepo create-cloud-formation-change-set --application-id arn:aws:serverlessrepo:us-east-1:123456789012:applications/SecretsManagerRotationTemplate --stack-name MyLambdaCreationStack --parameter-overrides Name=endpoint,Value= Name=functionName,Value=MySecretsManagerRotationFunction --capabilities CAPABILITY_IAM CAPABILITY_RESOURCE_POLICY

An AWS CloudFormation change set is created for the template. The AWS CloudFormation stack name begins with aws-serverless-repository- and the stack status code is set to REVIEW_IN_PROGRESS.

Update a stack using the change set

The create-cloud-formation-change-set command returns the ApplicationId, ChangeSetId, SemanticVersion, and StackId. To update the stack status, you must provide the ChangeSetId to the change-set-name. The change-set-name produces no output and changes the stack status code to CREATE_COMPLETE. The AWS CloudFormation stack creates the Lambda function and an IAM role that's attached to the Lambda function with the required permissions.

Run the following AWS CLI command:

aws cloudformation execute-change-set --change-set-name arn:aws:cloudformation:region:123456789012:changeSet/EXAMPLE1-90ab-cdef-fedc-ba987EXAMPLE/EXAMPLE2-90ab-cdef-fedc-ba987EXAMPLE

Verify that the Lambda function is created

Run the following AWS CLI command:

aws lambda list-functions

    "FunctionName": "MySecretsManagerRotationFunction",
    "FunctionArn": "arn:aws:lambda:region:123456789012:function:MySecretsManagerRotationFunction",

Note: The name of the Lambda function is the value of function name specified in --parameter-overrides.

Configure the Lambda function for Amazon Virtual Private Cloud (Amazon VPC) Access

If your database or service resides in an Amazon VPC, run the following command. The command update-function-configuration configures the Lambda rotation function to run in the VPC. Be sure to provide the VPC subnet IDs and security group IDs. For more information, see Configuring a Lambda Function to Access Resources in an Amazon VPC.

Note: If your database or service doesn't reside in an Amazon VPC, skip this step.

aws lambda update-function-configuration --function-name MySecretsManagerRotationFunction --vpc-config SubnetIds=COMMA SEPARATED LIST OF VPC SUBNET IDS,SecurityGroupIds=COMMA SEPARATED LIST OF SECURITY GROUP IDs

Create a VPC endpoint for the Secrets Manager service

If the VPC with your database or service and Lambda rotation function doesn't have internet access, then configure the VPC with a private service endpoint for Secrets Manager. This enables the rotation function to access Secrets Manager at an endpoint within the VPC. Run the following AWS CLI command create-vpc-endpoint:

Note: If your database or service does not reside in an Amazon VPC, skip this step.

aws ec2 create-vpc-endpoint --vpc-id VPC ID --vpc-endpoint-type Interface --service-name com.amazonaws.REGION.secretsmanager --subnet-ids SPACE SEPARATED LIST OF VPC SUBNET IDS --security-group-ids SPACE SEPARATED LIST OF SECURITY GROUP IDs --private-dns-enabled

Customize your rotation scenario

Customize your rotation scenario. For more information, see Understanding and Customizing Your Lambda Rotation Function.

Enable rotation for your secret

1.    Enable rotation for your secret. For more information, see Enabling Rotation for a Secret for Another Database or Service.

2.    Specify the number of days between rotations with the parameters --rotation-rules and AutomaticallyAfterDays:

aws secretsmanager rotate-secret --secret-id production/MyAwesomeAppSecret --rotation-lambda-arn arn:aws:lambda:region:123456789012:function:MySecretsManagerRotationFunction --rotation-rules AutomaticallyAfterDays=7