Configures and starts the asynchronous process of rotating this secret. If you include the configuration parameters, the operation sets those values for the secret and then immediately starts a rotation. If you do not include the configuration parameters, the operation starts a rotation with the values already stored in the secret. After the rotation completes, the protected service and its clients all use the new version of the secret.
This required configuration information includes the ARN of an AWS Lambda function and the time between scheduled rotations. The Lambda rotation function creates a new version of the secret and creates or updates the credentials on the protected service to match. After testing the new credentials, the function marks the new secret with the staging label
so that your clients all immediately begin to use the new version. For more information about rotating secrets and how to configure a Lambda function to rotate the secrets for your protected service, see Rotating Secrets in AWS Secrets Manager
in the AWS Secrets Manager User Guide
Secrets Manager schedules the next rotation when the previous one is complete. Secrets Manager schedules the date by adding the rotation interval (number of days) to the actual date of the last rotation. The service chooses the hour within that 24-hour date window randomly. The minute is also chosen somewhat randomly, but weighted towards the top of the hour and influenced by a variety of factors that help distribute load.
The rotation function must end with the versions of the secret in one of two states:
AWSCURRENT staging labels are attached to the same version of the secret, or
AWSPENDING staging label is not attached to any version of the secret.
If instead the
staging label is present but is not attached to the same version as
then any later invocation of
assumes that a previous rotation request is still in progress and returns an error. Minimum permissions
To run this command, you must have the following permissions:
- lambda:InvokeFunction (on the function specified in the secret's metadata)