What are the minimal MySQL grants required by SecretsManager to rotate a password?

Question

I would like to use SecretsManager to rotate a database password using [the alternating accounts strategy](https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotating-secrets_strategies.html#rotating-secrets-two-users). I don't want to use the database "Master" user for that, I want to create a dedicated MySQL user for Secrets Manager.

I understand the AWS IAM roles and policies, AWS networking and such. I am looking for the minimum privilege I must grant SecretManager **inside my RDS MySQL instance** so that it can rotate a password, but not SELECT any data? I am looking for a statement like this one:

```
CREATE USER 'secrets_manager'@'%' IDENTIFIED BY 'password';
GRANT ?????? ON ?????? to 'secrets_manager'@'%'
```
As an example, [Hashicorp Vault lists the SQL statements required to change a password](https://www.vaultproject.io/api/secret/databases#sample-payload-1), making it possible to GRANT a limited set of statements to Vault.

Answer

Secrets Manager uses a Lambda function to rotate a secret. The Lambda function has a resource policy that allows Secrets Manager to invoke it. Secrets Manager calls the Lambda function by invoking an IAM execution role attached to the Lambda function. Permissions for the Lambda function are granted through the IAM execution role as inline policies. If you turn on rotation by using the Secrets Manager console, the Lambda function, resource policy, execution role, and execution role inline policies are created for you.

You can read up more here.

https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotating-secrets-required-permissions-function.html

You can read up more here.

https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotating-secrets-required-permissions-function.html

What are the minimal MySQL grants required by SecretsManager to rotate a password?

関連するコンテンツ