How can I rotate an AWS Secrets Manager secret for a DB user that requires an SSL connection?

Last updated: 2019-07-01

My AWS Secrets Manager rotation function cannot connect to an Amazon Relational Database Service (Amazon RDS) instance with SSL. I receive an error similar to the following:

": setSecret: Unable to log into database with previous, current, or pending secret of secret"

Resolution

Modify the Lambda rotation function of a DB user to rotate a secret for a DB user that requires SSL connection. This example uses an Amazon RDS MySQL DB Single User instance to modify the RDS MySQL Single User template. To use an RDS database other than RDS MySQL, see AWS Templates You Can Use to Create Lambda Rotation Functions.

Create your secret and enable automatic rotation

1.    Open the Secrets Manager console, and then choose Store a new secret.

Note: Be sure you are signed in to the same Region as your Amazon RDS MySQL database.

2.    In Select secret type, choose Credentials for RDS database.

3.    Enter the same User name and Password as your DB user.

4    In Select which RDS database this secret will access, choose your Amazon RDS MySQL database, and then choose Next.

5.    Enter a Secret name and Description, and then choose Next.

6.    In Configure automatic rotation, choose Enable automatic rotation.

7.    In New AWS Lambda function name, enter a name, choose Next, and then choose Store.

Customize the Lambda rotation Function to connect to the database with SSL connection

1.    Open the AWS Lambda console and choose Functions.

2.    In Function name, choose your RDS MySQL function.

3.    At the top of the page next to ARN, choose the copy icon.

4.    Download the rds-combined-ca-bundle.pem certificate bundle at Using SSL to Encrypt a Connection to a DB Instance.

Note: Keep the file name as rds-combined-ca-bundle.pem and do not put the file in a directory.

5.    Add the rds-combined-ca-bundle.pem file to Lambda. For instructions, see Creating Functions Using the AWS Lambda Console Editor.

6.    In lambda_function.py, change the line of code containing "pymysql.connect" to the following:

conn = pymysql.connect(secret_dict['host'], user=secret_dict['username'], passwd=secret_dict['password'], port=port, db=dbname, connect_timeout=5, ssl={'ca': './rds-combined-ca-bundle.pem'})  

7.    Choose Save.

Manually rotate the secret

1.    Run the following command to list the version IDs of your secret:

Note: Replace EXAMPLESECRETNAME with your secret's variables.

aws secretsmanager list-secret-version-ids --secret-id EXAMPLESECRETNAME

2.    From the output, locate the version ID with a VersionStages value of AWSPENDING. Then, run the following command to remove the staging label:

aws secretsmanager update-secret-version-stage --secret-id EXAMPLESECRETNAME --remove-from-version-id EXAMPLEVERSIONID --version-stage AWSPENDING

3.    Open the Secrets Manager console, and then choose your secret.

4.    In Rotation Configuration, choose Rotate secret immediately, and then choose Rotate.

Verify connection to the database for your DB user

Follow steps 1-5 at Validate Your Initial Secret to install the MySQL client and retrieve the secret temporarily.

Note: Replace step 3 with the following command:

mysql -h $endpoint --ssl-ca=EXAMPLEPATH/rds-combined-ca-bundle.pem --ssl-verify-server-cert -u $user -P $port -p$password