Can I rotate my secret every hour?


I use SecretsManager to rotate my third-party OAuth access tokens, which look like the following:

{:access_token "",
:token_type "bearer",
:expires_in 3600,
:scope "full-access",
:refresh_token "

Currently, the minimum rotation interval in the UI is measured in days, however, as you can see, my service access tokens expire in 1 hour (3600s). Is there a way to specify the rotation to 1 hour or do I need to trigger manual immediate rotation and manage the time expiration in my applications?

asked 3 years ago328 views
4 Answers

I know this was 3 years ago, but I thought I would add a reply here as I came across this problem myself yesterday and wanted to share how I addressed it.

  • Create the Secret and the Rotation configuration (including Lambda) as "normal" but without a Schedule. This means that whilst the secret can rotate it will never do it automatically but it means the RotateSecret API call works as designed.
  • Create a simple 1 stage Step Function to execute the RotateSecret API call for this secret.
  • Create a Rule in EventBridge using cron of 0 * * * ? * (hourly) and have the Step function be the target. I now have the secret rotation occuring every hour.
profile picture
answered 5 months ago
  • Hi Danjhd, would you please explain how do you create a secret with rotation configuration (including Lambda) without the schedule? When doing it from the console, adding a schedule is required.


Secrets Manager does not support rotation intervals less than a day. You can, however, create a regularly scheduled CloudWatch event ( that will call your rotation lambda with your desired frequency.

Of course, as with any lambda, the code must be idempotent and be able to handle the case where Lambda retries the call.

answered 3 years ago

Do I call the lambda directly or do I tell secretsmanager to Rotate and let it do it's normal event execution?

It seems like I can execute a rotation via the SDK, so rather than having CloudWatch Events re-implement the functionality of SecretsManager, I can have lambda call SecretsManager with something like:

  :secret-id arn)

Perhaps I can create a new even to trigger that code path. Thanks for your help.

Edited by: leetcharmer on Jun 25, 2019 5:58 PM

answered 3 years ago

What you propose should generally work. However, you have to keep the failure scenarios in mind. If a previous rotation failed (after the standard 5 retires), the next invocation of rotate-secret will restart the rotation, but will throw a InvalidRequestException with the message "A previous rotation isn’t complete. That rotation will be reattempted." This could happen, for example, if the database was down for a period of time or there were networking problems.

If the lambda (the one invoked by CloudWatch) throws this exception, the implementation might retry, which will cause multiple retries of the rotation and possibly two back to back rotations if the first one suddenly succeeds. This may or may not be a problem for your applications, but you may need to add extra error handling to the lambda.

answered 3 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions