I’ve created a secret and updated it to have a lambda rotation function
My secret looks like
aws secretsmanager list-secret-version-ids --secret-id envir/username
and when i try to rotate it, i get this error
An error occurred (InvalidRequestException) when calling the RotateSecret operation: A previous rotation isn’t complete. That rotation will be reattempted.
I can rotate the secret without issues if i trigger the lambda function without issues.
Anyone has any ideas ?
- https://forums.aws.amazon.com/thread.jspa?threadID=280093&tstart=0 which does not apply to me as i dont have the secret in
Just a note for people in future who might get the same error…
If you are using the AWS Secrets Manager to rotate an Amazon RDS password, the Secrets Manager will automatically create a Lambda function. This function requires:
- Access to the Internet (to call the Secrets Manager) OR VPC endpoint for Secrets Manager service in subnet/subnets associated with the lambda function
- Access to the RDS instance (to login and change the password)
As such, the following combinations work:
- Publicly accessible database (bad for security) with a Lambda function that is not attached to a VPC, OR
- The Lambda function in a private subnet with a NAT Gateway in the public subnet (so the Lambda function can access the Internet) OR an Elastic IP Address attached to the Lambda function’s ENI
Also, the Security Group attached to the database needs to permit inbound access from the Lambda function. By default, the Lambda function is assigned the same security group as used by the database, so either:
- Edit the database security group to permit inbound connections from itself (that is, from Lambda to the database via the same security group), OR
- Change the security group that is used by the Lambda function to one that is currently permitted to access the database security group