- Newest
- Most votes
- Most comments
I know this was 3 years ago, but I thought I would add a reply here as I came across this problem myself yesterday and wanted to share how I addressed it.
- Create the Secret and the Rotation configuration (including Lambda) as "normal" but without a Schedule. This means that whilst the secret can rotate it will never do it automatically but it means the
RotateSecret
API call works as designed. - Create a simple 1 stage Step Function to execute the
RotateSecret
API call for this secret. - Create a Rule in EventBridge using cron of
0 * * * ? *
(hourly) and have the Step function be the target. I now have the secret rotation occuring every hour.
Secrets Manager does not support rotation intervals less than a day. You can, however, create a regularly scheduled CloudWatch event (https://docs.aws.amazon.com/AmazonCloudWatch/latest/events/Create-CloudWatch-Events-Scheduled-Rule.html) that will call your rotation lambda with your desired frequency.
Of course, as with any lambda, the code must be idempotent and be able to handle the case where Lambda retries the call.
Do I call the lambda directly or do I tell secretsmanager to Rotate and let it do it's normal event execution?
It seems like I can execute a rotation via the SDK, so rather than having CloudWatch Events re-implement the functionality of SecretsManager, I can have lambda call SecretsManager with something like:
(secretsmanager/rotate-secret
:secret-id arn)
Perhaps I can create a new even to trigger that code path. Thanks for your help.
Edited by: leetcharmer on Jun 25, 2019 5:58 PM
What you propose should generally work. However, you have to keep the failure scenarios in mind. If a previous rotation failed (after the standard 5 retires), the next invocation of rotate-secret will restart the rotation, but will throw a InvalidRequestException with the message "A previous rotation isn’t complete. That rotation will be reattempted." This could happen, for example, if the database was down for a period of time or there were networking problems.
If the lambda (the one invoked by CloudWatch) throws this exception, the implementation might retry, which will cause multiple retries of the rotation and possibly two back to back rotations if the first one suddenly succeeds. This may or may not be a problem for your applications, but you may need to add extra error handling to the lambda.
Relevant content
- asked 6 months ago
- asked 2 years ago
- Accepted Answerasked 2 years ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 3 years ago
- AWS OFFICIALUpdated 16 days ago
Hi Danjhd, would you please explain how do you create a secret with rotation configuration (including Lambda) without the schedule? When doing it from the console, adding a schedule is required.