Usando AWS re:Post, accetti AWS re:Post Termini di utilizzo
AWS re:Postre:Post

Can I rotate my secret every hour?

0

I use SecretsManager to rotate my third-party OAuth access tokens, which look like the following:

{:access_token "",
:token_type "bearer",
:expires_in 3600,
:scope "full-access",
:refresh_token ""}

Currently, the minimum rotation interval in the UI is measured in days, however, as you can see, my service access tokens expire in 1 hour (3600s). Is there a way to specify the rotation to 1 hour or do I need to trigger manual immediate rotation and manage the time expiration in my applications?

Argomenti
Sicurezza, identità e conformità
Tag
Gestore AWS Secrets
Lingua
English
leetcharmer
posta 5 anni fa1426 visualizzazioni
4 Risposte
1

I know this was 3 years ago, but I thought I would add a reply here as I came across this problem myself yesterday and wanted to share how I addressed it.

  • Create the Secret and the Rotation configuration (including Lambda) as "normal" but without a Schedule. This means that whilst the secret can rotate it will never do it automatically but it means the RotateSecret API call works as designed.
  • Create a simple 1 stage Step Function to execute the RotateSecret API call for this secret.
  • Create a Rule in EventBridge using cron of 0 * * * ? * (hourly) and have the Step function be the target. I now have the secret rotation occuring every hour.
profile pictureAWS
danjhd
con risposta 2 anni fa
  • PabloVera
    2 anni fa

    Hi Danjhd, would you please explain how do you create a secret with rotation configuration (including Lambda) without the schedule? When doing it from the console, adding a schedule is required.

0

Secrets Manager does not support rotation intervals less than a day. You can, however, create a regularly scheduled CloudWatch event (https://docs.aws.amazon.com/AmazonCloudWatch/latest/events/Create-CloudWatch-Events-Scheduled-Rule.html) that will call your rotation lambda with your desired frequency.

Of course, as with any lambda, the code must be idempotent and be able to handle the case where Lambda retries the call.

AWS
AWS-User-9028130
con risposta 5 anni fa
0

Do I call the lambda directly or do I tell secretsmanager to Rotate and let it do it's normal event execution?

It seems like I can execute a rotation via the SDK, so rather than having CloudWatch Events re-implement the functionality of SecretsManager, I can have lambda call SecretsManager with something like:

(secretsmanager/rotate-secret
  :secret-id arn)

Perhaps I can create a new even to trigger that code path. Thanks for your help.

Edited by: leetcharmer on Jun 25, 2019 5:58 PM

leetcharmer
con risposta 5 anni fa
0

What you propose should generally work. However, you have to keep the failure scenarios in mind. If a previous rotation failed (after the standard 5 retires), the next invocation of rotate-secret will restart the rotation, but will throw a InvalidRequestException with the message "A previous rotation isn’t complete. That rotation will be reattempted." This could happen, for example, if the database was down for a period of time or there were networking problems.

If the lambda (the one invoked by CloudWatch) throws this exception, the implementation might retry, which will cause multiple retries of the rotation and possibly two back to back rotations if the first one suddenly succeeds. This may or may not be a problem for your applications, but you may need to add extra error handling to the lambda.

AWS
AWS-User-9028130
con risposta 5 anni fa

Accesso non effettuato. Accedi per postare una risposta.

Una buona risposta soddisfa chiaramente la domanda, fornisce un feedback costruttivo e incoraggia la crescita professionale del richiedente.

Linee guida per rispondere alle domande

Contenuto pertinente