Can I rotate my secret every hour?

0

I use SecretsManager to rotate my third-party OAuth access tokens, which look like the following:

{:access_token "",
:token_type "bearer",
:expires_in 3600,
:scope "full-access",
:refresh_token "
"}

Currently, the minimum rotation interval in the UI is measured in days, however, as you can see, my service access tokens expire in 1 hour (3600s). Is there a way to specify the rotation to 1 hour or do I need to trigger manual immediate rotation and manage the time expiration in my applications?

已提问 5 年前1358 查看次数
4 回答
1

I know this was 3 years ago, but I thought I would add a reply here as I came across this problem myself yesterday and wanted to share how I addressed it.

  • Create the Secret and the Rotation configuration (including Lambda) as "normal" but without a Schedule. This means that whilst the secret can rotate it will never do it automatically but it means the RotateSecret API call works as designed.
  • Create a simple 1 stage Step Function to execute the RotateSecret API call for this secret.
  • Create a Rule in EventBridge using cron of 0 * * * ? * (hourly) and have the Step function be the target. I now have the secret rotation occuring every hour.
profile pictureAWS
danjhd
已回答 2 年前
  • Hi Danjhd, would you please explain how do you create a secret with rotation configuration (including Lambda) without the schedule? When doing it from the console, adding a schedule is required.

0

Secrets Manager does not support rotation intervals less than a day. You can, however, create a regularly scheduled CloudWatch event (https://docs.aws.amazon.com/AmazonCloudWatch/latest/events/Create-CloudWatch-Events-Scheduled-Rule.html) that will call your rotation lambda with your desired frequency.

Of course, as with any lambda, the code must be idempotent and be able to handle the case where Lambda retries the call.

AWS
已回答 5 年前
0

Do I call the lambda directly or do I tell secretsmanager to Rotate and let it do it's normal event execution?

It seems like I can execute a rotation via the SDK, so rather than having CloudWatch Events re-implement the functionality of SecretsManager, I can have lambda call SecretsManager with something like:

(secretsmanager/rotate-secret
  :secret-id arn)

Perhaps I can create a new even to trigger that code path. Thanks for your help.

Edited by: leetcharmer on Jun 25, 2019 5:58 PM

已回答 5 年前
0

What you propose should generally work. However, you have to keep the failure scenarios in mind. If a previous rotation failed (after the standard 5 retires), the next invocation of rotate-secret will restart the rotation, but will throw a InvalidRequestException with the message "A previous rotation isn’t complete. That rotation will be reattempted." This could happen, for example, if the database was down for a period of time or there were networking problems.

If the lambda (the one invoked by CloudWatch) throws this exception, the implementation might retry, which will cause multiple retries of the rotation and possibly two back to back rotations if the first one suddenly succeeds. This may or may not be a problem for your applications, but you may need to add extra error handling to the lambda.

AWS
已回答 5 年前

您未登录。 登录 发布回答。

一个好的回答可以清楚地解答问题和提供建设性反馈,并能促进提问者的职业发展。

回答问题的准则