AWS Secrets Manager
User Guide

Enabling Rotation for a Secret for Another Database or Service

To configure rotation of a secret for a database other than the supported RDS databases or another service, you must manually perform a few extra steps. Primarily, you must create and provide the code for the Lambda rotation function.

Warning

Configuring rotation causes the secret to rotate once as soon as you store the secret. Before you do this, you must make sure that all of your applications using the credentials stored in the secret are updated to retrieve the secret from AWS Secrets Manager. The old credentials may be unusable after the initial rotation. As soon as the old credentials become invalid, any applications you faied to update no longer work.

You must have already created your Lambda rotation function. If you haven't yet created the function, then perform the steps in Rotating AWS Secrets Manager Secrets for Other Databases or Services. Return to this procedure after you create the function and ready to associate with your secret.

Prerequisites: Network Requirements to Enable Rotation

To successfully enable rotation, you must have your network environment configured correctly.

  • The Lambda function must be able to communicate with your database or service. If you run your database or service on an Amazon EC2 instance in a VPC, then we recommend that you configure your Lambda function to run in the same VPC. This enables direct connectivity between the rotation function and your service. To configure this, on the Lambda function details page, scroll down to the Network section and select the VPC from the list to match the one the instance of your service. You must also make sure that the EC2 security groups attached to your instance enable communication between the instance and Lambda.

  • The Lambda function must be able to communicate with the Secrets Manager service endpoint. If your Lambda rotation function can access the Internet, either because you haven't configured the function to run in a VPC, or because the VPC has an attached NAT gateway, then you can use any of the available public endpoints for Secrets Manager. Alternatively, if you configure your Lambda function to run in a VPC without Internet access, then you can configure the VPC with a private Secrets Manager service endpoint.

To enable and configure rotation for a secret for another database or service

Follow the steps under one of the following tabs:

Using the AWS Management ConsoleUsing the AWS CLI or AWS SDKs
Using the AWS Management Console

Minimum permissions

To enable and configure rotation in the console, you must have these permissions:

  • secretsmanager:ListSecrets – To see the list of secrets in the console.

  • secretsmanager:DescribeSecrets – To access the details page for your chosen secret.

  • secretsmanager:RotateSecret – To configure or trigger rotation.

  1. Sign in to the Secrets Manager console at https://console.aws.amazon.com/secretsmanager/.

  2. Select the name of the secret that you want to enable rotation.

  3. In the Configure automatic rotation section, select Enable automatic rotation. This enables the other controls in this section.

  4. For Select rotation interval, select one of the predefined values—or select Custom, and then type the number of days between rotations.

    Secrets Manager schedules the next rotation when the previous one is complete. Secrets Manager schedules the date by adding the rotation interval (number of days) to the actual date of the last rotation. The service chooses the hour within that 24-hour date window randomly. The minute is also chosen somewhat randomly, but is weighted towards the top of the hour and influenced by a variety of factors that help distribute load.

  5. For Select an AWS Lambda function, select your rotation function from the drop-down list. If you haven't created the function, perform the steps in Rotating AWS Secrets Manager Secrets for Other Databases or Services. Return and perform this step after you create the function and ready to associate with your secret.

Using the AWS CLI or AWS SDKs

Minimum permissions

To create a Lambda function by using the console, you must have these permissions:

  • lambda:CreateFunction – To create the function in AWS Lambda.

  • lambda:InvokeFunction – To attach the rotation function to the secret.

  • secretsmanager:DescribeSecrets – To access the secret details page.

  • secretsmanager:RotateSecret – To attach the rotation function to the secret or to trigger rotation.

You can use the following commands to enable and configure rotation in Secrets Manager:

The following is an example CLI command that performs the equivalent of the console-based secret creation in the Using the AWS Management Console tab. It sets the rotation interval to 30 days, and specifies the Amazon Resource Name (ARN) of a second secret with permissions to change the credentials of the secret on the database.

$ aws secretsmanager rotate-secret --secret-id production/MyAwesomeAppSecret --automatically-rotate-after-days 30 --rotation-lambda-arn arn:aws:secretsmanager:region:accountid:secret:production/MasterSecret-AbCdEf { "ARN": "arn:aws:secretsmanager:region:accountid:secret:production/MyAwesomeAppSecret-AbCdEf", "Name": "production/MyAwesomeAppSecret", "VersionId": "EXAMPLE1-90ab-cdef-fedc-ba987EXAMPLE" }

Secrets Manager doesn't require the ClientRequestToken parameter because you're using the AWS CLI, which automatically generates and supplies one. The output includes the secret version ID of the new version created during the initial rotation. After rotation completes, this new version has the staging label AWSCURRENT attached, and the previous version has the staging label AWSPREVIOUS.