How To Rotate Secrets In AWS Secret Manager

How To Rotate Secrets In AWS Secret Manager

How To Rotate Secrets In AWS Secret Manager

Hello Everyone

Welcome to CloudAffaire and this is Debjeet.

In today’s blog post, we will discuss how to rotate secrets in AWS secret manager automatically. You can rotate (update) a secret automatically in AWS secret manager. When you rotate a secret, you update both the secret and the service or application that is using that secret. You can either manually or automatically rotate a secret in AWS secret manager. In order to automatically rotate a secret, you also need to setup a lambda function with proper IAM role.

There are two types of rotation strategy that you can adapt to rotate your secrets –

  1. Single user rotation strategy: Updates credentials for one user in one secret.
  2. Alternating user rotation strategy: Updates credentials for two users in one secret.

How To Rotate Secrets In AWS Secret Manager

Prerequisites:

  • AWS CLI installed and configured with proper access. You can use below link to install and configure AWS CLI.

https://cloudaffaire.com/how-to-install-aws-cli/

https://cloudaffaire.com/how-to-configure-aws-cli/

Step 1: Create a RDS MySQL instance.

The connection string for this RDS instance will serve as the secret that we will store in AWS secret manager and rotate using a lambda function.

Step 2: Create a new secret containing the RDS MySQL instance connection details.

Step 3: Create a custom lambda function with IAM role and lambda layer.

This Lambda function will update RDS connection secrets in AWS secret manager and also update the admin user password in MySQL RDS instance.

Note: If you are using some other RDS instance type or other types of secrets, you need to change the lambda function accordingly. AWS community provides a set of templates that you can use as reference.

Note: The above lambda IAM role policy is over permissive, you are welcome to refine the permission as you need and comment so that I can update this and others also get the benefit.

Now we are all set to enable auto rotation of RDS secrets in Secret manager.

Step 4: Enable auto rotation of secrets for AWS RDS instance in AWS Secret Manager

We have successfully enabled auto-rotation of RDS instance secrets in AWS secret manager.

How To Rotate Secrets In AWS Secret Manager

If you are getting any error, check the lambda executing logs in CloudWatch to troubleshoot the error.

How To Rotate Secrets In AWS Secret Manager

Next, we will delete all the resources created in this demo to avoid any additional cost.

Step 5: Clean up.

Hope you have enjoyed this article. To know more about AWS Secret Manager, please refer below official documentation

https://docs.aws.amazon.com/secretsmanager/index.html

Leave a Reply

Close Menu