Resource permissions needed for automatic password rotation with RDS and secrets-manager


I'm using the new auto-rotation for RDS that doesn't require a lambda -

The problem I'm facing is whenever I add a resource permission policy to my secret, the rotation stops working. I've tried giving the cluster complete access in the resource policy. I've also tried giving everyone rotate access but neither works. I can only get it to work if the resource permission policy is blank but obviously that's not acceptable.

asked 8 months ago278 views
1 Answer

Can you clarify this please as the link says.

Secrets Manager uses Lambda functions to rotate secrets.

To rotate a secret, Secrets Manager calls a Lambda function according to the schedule you set up. You can set a schedule to rotate after a period of time, for example every 30 days, or you can create a cron expression. See Schedule expressions. If you also manually update your secret value while automatic rotation is set up, then Secrets Manager considers that a valid rotation when it calculates the next rotation date.

For security, Secrets Manager only permits a Lambda rotation function to rotate the secret directly. The rotation function can't call a second Lambda function to rotate the secret.

profile picture
answered 8 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions