How can I create an AWS Lambda function to rotate AWS Secrets Manager secrets for other databases or third-party services?

Secrets created with Amazon Relational Database Service (Amazon RDS) supported databases automatically create the Lambda rotation, but do not for unsupported databases. 

Use the Generic Rotation Function Template to rotate secrets. Before you enable rotation for a secret for another database or service, you must create the code for the Lambda rotation function.

Create an AWS CloudFormation change set based on the generic rotation function template

1.    Enter the Amazon Resource Name (ARN) for the generic rotation function template with AWS Command Line Interface (AWS CLI):

Note: If you haven't installed the AWS CLI, see Installing the AWS CLI.

arn:aws:serverlessrepo:us-east-1:297356227824:applications/SecretsManagerRotationTemplate

2.    Run the AWS CLI command create-cloud-formation-change-set for these values:

--stack-name The name of the AWS CloudFormation that you create a change set for.

--parameter-override The AWS Secrets Manager endpoint URL for your Region, and the name of the Lambda rotation function that the template creates.

aws serverlessrepo create-cloud-formation-change-set --application-id arn:aws:serverlessrepo:us-east-1:297356227824:applications/SecretsManagerRotationTemplate --stack-name MyLambdaCreationStack --parameter-overrides '[{"Name":"endpoint","Value":"https://secretsmanager.region.amazonaws.com"},{"Name":"functionName","Value":"MySecretsManagerRotationFunction"}]'

Output
{
  "StackId": "arn:aws:cloudformation:region:123456789012:stack/aws-serverless-repository-MyLambdaCreationStack/520940b0-cc9d-11e8-9642-500c20fafe62",
  "ApplicationId": "arn:aws:serverlessrepo:us-east-1:297356227824:applications/SecretsManagerRotationTemplate",
  "ChangeSetId": "arn:aws:cloudformation:region:123456789012:changeSet/a391f1108-8be2-48be-b85d-055b85323a73/9eff19cb-d412-4a66-a96f-ea7de2cb3c49"
}

An AWS CloudFormation change set is created for the template. The AWS CloudFormation stack name begins with aws-serverless-repository- and the stack status code is set to REVIEW_IN_PROGRESS.

Update a stack using the change set

The change-set-name parameter comes from the ChangeSetId. The change-set-name parameter produces no output and changes the stack status code to CREATE_COMPLETE. The AWS CloudFormation stack creates the Lambda function and an IAM role that is attached to the Lambda function with the required permissions.

Run the following AWS CLI command:

aws cloudformation execute-change-set --change-set-name arn:aws:cloudformation:region:123456789012:changeSet/EXAMPLE1-90ab-cdef-fedc-ba987EXAMPLE/EXAMPLE2-90ab-cdef-fedc-ba987EXAMPLE

Verify that the Lambda function is created

Run the following AWS CLI command:

aws lambda list-functions

Output
{
    ...
    "FunctionName": "MySecretsManagerRotationFunction",
    ...
    "FunctionArn": "arn:aws:lambda:region:123456789012:function:MySecretsManagerRotationFunction",
    ... 
}

Note: The name of the Lambda function is the value of function name specified in --parameter-overrides.

Grant Secrets Manager permission to call the function on your behalf

1.    Add permissions to the resource policy associated with the Lambda function with the command add-permission.

aws lambda add-permission --function-name MySecretsManagerRotationFunction --principal secretsmanager.amazonaws.com --action lambda:InvokeFunction --statement-id SecretsManagerAccess

Output
{
"Statement": "{\"Sid\":\"SecretsManagerAccess\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":\"secretsmanager.amazonaws.com\"},\"Action\":\"lambda:InvokeFunction\",\"Resource\":\"arn:aws:lambda:region:123456789012:function:MySecretsManagerRotationFunction\"}"
}

2.    Verify that the permissions are added to the resource policy with the command get-policy:

aws lambda get-policy --function-name MySecretsManagerRotationFunction
{
    "Policy": "{\"Version\":\"2012-10-17\",\"Id\":\"default\",\"Statement\":[{\"Sid\":\"SecretsManagerAccess\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":\"secretsmanager.amazonaws.com\"},\"Action\":\"lambda:InvokeFunction\",\"Resource\":\"arn:aws:lambda:region:123456789012:function:MySecretsManagerRotationFunction\"}]}",
    "RevisionId": "f6a3125c-f2d2-4f8e-bd51-64e98bce77f4"
}

Configure the Lambda function for Amazon Virtual Private Cloud (Amazon VPC) Access

If your database or service resides in an Amazon VPC, run the following command. The command update-function-configuration configures the Lambda rotation function to run in the VPC. Be sure to provide the VPC subnet IDs and security group IDs. For more information, see Configuring a Lambda Function to Access Resources in an Amazon VPC.

Note: If your database or service doesn't reside in an Amazon VPC, skip this step.

aws lambda update-function-configuration --function-name MySecretsManagerRotationFunction --vpc-config SubnetIds=COMMA SEPARATED LIST OF VPC SUBNET IDS,SecurityGroupIds=COMMA SEPARATED LIST OF SECURITY GROUP IDs

Create a VPC endpoint for the Secrets Manager service

If the VPC with your database or service and Lambda rotation function doesn't have internet access, then configure the VPC with a private service endpoint for Secrets Manager. This enables the rotation function to access Secrets Manager at an endpoint within the VPC. Run the following AWS CLI command create-vpc-endpoint:

Note: If your database or service does not reside in an Amazon VPC, skip this step.

aws ec2 create-vpc-endpoint --vpc-id VPC ID --vpc-endpoint-type Interface --service-name com.amazonaws.REGION.secretsmanager --subnet-ids COMMA SEPARATED LIST OF VPC SUBNET IDS --security-group-ids COMMA SEPARATED LIST OF SECURITY GROUP IDs --private-dns-enabled

Customize your rotation scenario

Customize your rotation scenario. For more information, see Understanding and Customizing Your Lambda Rotation Function.

Enable rotation for your secret

1.    Enable rotation for your secret. For more information, see Enabling Rotation for a Secret for Another Database or Service.

2.    Specify the number of days between rotations with the parameters --rotation-rules and AutomaticallyAfterDays:

aws secretsmanager rotate-secret --secret-id production/MyAwesomeAppSecret --rotation-lambda-arn arn:aws:lambda:region:123456789012:function:MySecretsManagerRotationFunction --rotation-rules AutomaticallyAfterDays=7

Did this page help you? Yes | No

Back to the AWS Support Knowledge Center

Need help? Visit the AWS Support Center

Published: 2019-02-07