What are the minimal MySQL grants required by SecretsManager to rotate a password?

0

I would like to use SecretsManager to rotate a database password using the alternating accounts strategy. I don't want to use the database "Master" user for that, I want to create a dedicated MySQL user for Secrets Manager.

I understand the AWS IAM roles and policies, AWS networking and such. I am looking for the minimum privilege I must grant SecretManager inside my RDS MySQL instance so that it can rotate a password, but not SELECT any data? I am looking for a statement like this one:

CREATE USER 'secrets_manager'@'%' IDENTIFIED BY 'password';
GRANT ?????? ON ?????? to 'secrets_manager'@'%'

As an example, Hashicorp Vault lists the SQL statements required to change a password, making it possible to GRANT a limited set of statements to Vault.

1개 답변
0

Secrets Manager uses a Lambda function to rotate a secret. The Lambda function has a resource policy that allows Secrets Manager to invoke it. Secrets Manager calls the Lambda function by invoking an IAM execution role attached to the Lambda function. Permissions for the Lambda function are granted through the IAM execution role as inline policies. If you turn on rotation by using the Secrets Manager console, the Lambda function, resource policy, execution role, and execution role inline policies are created for you.

You can read up more here.

https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotating-secrets-required-permissions-function.html

AWS
답변함 2년 전
  • Thanks. But when the Lambda finally runs, it must authenticate in the database as a user, right? My question is about the permissions that user needs in MySQL (given by the GRANT statement)?

로그인하지 않았습니다. 로그인해야 답변을 게시할 수 있습니다.

좋은 답변은 질문에 명확하게 답하고 건설적인 피드백을 제공하며 질문자의 전문적인 성장을 장려합니다.

질문 답변하기에 대한 가이드라인

관련 콘텐츠