What are the minimal MySQL grants required by SecretsManager to rotate a password?


I would like to use SecretsManager to rotate a database password using the alternating accounts strategy. I don't want to use the database "Master" user for that, I want to create a dedicated MySQL user for Secrets Manager.

I understand the AWS IAM roles and policies, AWS networking and such. I am looking for the minimum privilege I must grant SecretManager inside my RDS MySQL instance so that it can rotate a password, but not SELECT any data? I am looking for a statement like this one:

CREATE USER 'secrets_manager'@'%' IDENTIFIED BY 'password';
GRANT ?????? ON ?????? to 'secrets_manager'@'%'

As an example, Hashicorp Vault lists the SQL statements required to change a password, making it possible to GRANT a limited set of statements to Vault.

1 Answer

Secrets Manager uses a Lambda function to rotate a secret. The Lambda function has a resource policy that allows Secrets Manager to invoke it. Secrets Manager calls the Lambda function by invoking an IAM execution role attached to the Lambda function. Permissions for the Lambda function are granted through the IAM execution role as inline policies. If you turn on rotation by using the Secrets Manager console, the Lambda function, resource policy, execution role, and execution role inline policies are created for you.

You can read up more here.


answered a year ago
  • Thanks. But when the Lambda finally runs, it must authenticate in the database as a user, right? My question is about the permissions that user needs in MySQL (given by the GRANT statement)?

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions