Configures and starts the asynchronous process of rotating this secret. If you include the configuration parameters, the operation sets those values for the secret and then immediately starts a rotation. If you do not include the configuration parameters, the operation starts a rotation with the values already stored in the secret. After the rotation completes, the protected service and its clients all use the new version of the secret.
This required configuration information includes the ARN of an AWS Lambda function and the time between scheduled rotations. The Lambda rotation function creates a new version of the secret and creates or updates the credentials on the protected service to match. After testing the new credentials, the function marks the new secret with the staging label
AWSCURRENT
so that your clients all immediately begin to use the new version. For more information about rotating secrets and how to configure a Lambda function to rotate the secrets for your protected service, see
Rotating Secrets in AWS Secrets Manager in the
AWS Secrets Manager User Guide.
Secrets Manager schedules the next rotation when the previous one completes. Secrets Manager schedules the date by adding the rotation interval (number of days) to the actual date of the last rotation. The service chooses the hour within that 24-hour date window randomly. The minute is also chosen somewhat randomly, but weighted towards the top of the hour and influenced by a variety of factors that help distribute load.
The rotation function must end with the versions of the secret in one of two states:
- The
AWSPENDING
and AWSCURRENT
staging labels are attached to the same version of the secret, or - The
AWSPENDING
staging label is not attached to any version of the secret.
If the
AWSPENDING
staging label is present but not attached to the same version as
AWSCURRENT
then any later invocation of
RotateSecret
assumes that a previous rotation request is still in progress and returns an error.
Minimum permissions To run this command, you must have the following permissions:
- secretsmanager:RotateSecret
- lambda:InvokeFunction (on the function specified in the secret's metadata)
Related operations