How can I rotate an AWS Secrets Manager secret for a DB connection that requires SSL?

2 minute read

My AWS Secrets Manager rotation function can't connect to an Amazon Relational Database Service (Amazon RDS) instance with Secure Socket Layer (SSL). I receive an error similar to the following: ": setSecret: Unable to log into database with previous, current, or pending secret of secret"


Rotation functions for Amazon RDS (except Amazon RDS for Oracle) and Amazon DocumentDB automatically use SSL/TLS to connect to your database if it's available. If SSL or TLS isn't available, then the rotation functions use an unencrypted connection.

If you set up secret rotation before December 20, 2021, then your rotation function might be based on an older template that doesn't support SSL/TLS. To support connections that use SSL/TLS, you must recreate your rotation function. For more information, see My database requires an SSL/TLS connection but the AWS Lambda rotation function isn't using SSL/TLS.

Verify connection to the database for your DB user and retrieve the secret

1.    To connect to your Amazon RDS instance, see Connecting to an Amazon RDS DB instance.

2.    To connect your Amazon DocumentDB, see Developing with Amazon DocumentDB.

3.    To retrieve the secret, see Retrieve secrets from AWS Secrets Manager in code.

4.    To automatically rotate the secret, see Automatically rotate an Amazon RDS, Amazon DocumentDB, or Amazon Redshift secret.

Related information

Customize a Lambda rotation function for Secrets Manager

How do I create a rotation function with an AWS Secrets Manager secret for an unsupported database?

AWS Secrets Manager now automatically enables SSL connections when rotating database secrets

AWS OFFICIALUpdated 2 years ago