How do I create a rotation function with an AWS Secrets Manager secret for an unsupported database?

Last updated: 2020-10-19

Secrets Manager secrets created with Amazon Relational Database Service (Amazon RDS) supported databases and other AWS support services automatically create the Lambda rotation. For unsupported AWS databases and services, you can manually create the Lambda function.

Use the generic rotation function template to rotate secrets. Before you enable rotation for a secret for another database or service, you must create the code for the Lambda rotation function.

Important:

• Before you begin, be sure that you have installed and configured the AWS Command Line Interface (AWS CLI).
• If you receive errors when running AWS CLI commands, make sure that you’re using the most recent version of the AWS CLI.

Run the AWS CLI command create-cloud-formation-change-set for these values:

--stack-name: The name of the AWS CloudFormation stack that you create a change set for.

--parameter-override: The AWS Secrets Manager Regional endpoints for your Region, and the name of the Lambda rotation function that the template creates.

Note: Make sure to use the Amazon Resource Name (ARN) of arn:aws:serverlessrepo:us-east-1:297356227824:applications/SecretsManagerRotationTemplate exactly as shown.

An AWS CloudFormation change set is created for the template. The AWS CloudFormation stack name begins with aws-serverless-repository- and the stack status code is set to REVIEW_IN_PROGRESS.

The create-cloud-formation-change-set command returns the ApplicationId, ChangeSetId, SemanticVersion, and StackId. To update the stack status, you must provide the ChangeSetId to the change-set-name. The change-set-name produces no output and changes the stack status code to CREATE_COMPLETE. The AWS CloudFormation stack creates the Lambda function and an IAM role that's attached to the Lambda function with the required permissions.

Run the following AWS CLI command:

Run the following AWS CLI command:

Note: The name of the Lambda function is the value of function name specified in --parameter-overrides.

If your database or service resides in an Amazon VPC, run the update-function-configuration command similar to the following. The update-function-configuration command configures the Lambda rotation function to run in the VPC. Be sure to provide the VPC subnet IDs and security group IDs. For more information, see Configuring a Lambda function to access resources in an Amazon VPC.

Note: If your database or service doesn't reside in an Amazon VPC, skip this step.

If the VPC with your database or service and Lambda rotation function doesn't have internet access, then configure the VPC with a private service endpoint for Secrets Manager. This enables the rotation function to access Secrets Manager at an endpoint within the VPC. Run the create-vpc-endpoint command similar to the following:

Note: If your database or service does not reside in an Amazon VPC, skip this step.

Be sure that the Lambda function can route to your database or service over the required network ports. This varies depending on the database or service, and its associated VPC configuration.

Note: If your database or service does not reside in an Amazon VPC, skip this step.

The rotation template implements the createSecret and finishSecret steps for you. The setSecret and testSecret steps require manual implementation for your use case and database. For more information, see The steps of the Lambda rotation function.

Specify the number of days between rotations with the parameters --rotation-rules and AutomaticallyAfterDays:

For more information, see Rotating AWS Secrets Manager secrets for other databases or services.