AWS Templates You Can Use to Create Lambda Rotation Functions - AWS Secrets Manager

Templates for Amazon RDS Databases Templates for Other Databases Templates for Other Services

AWS Templates You Can Use to Create Lambda Rotation Functions

This section identifies the AWS managed templates you can use to create a Lambda rotation function for your AWS Secrets Manager secret. These templates associate with the AWS Serverless Application Repository, which uses AWS CloudFormation to create 'stacks' of preconfigured resources. In this case, the templates create a stack that consists of the Lambda function and an IAM role that Secrets Manager can assume to invoke the function when rotation occurs.

To create a Lambda rotation function with any of the following templates, you can copy and paste the ARN of the specified template into the CLI commands described in the topic Rotating AWS Secrets Manager secrets for other databases or services.

Each of the following templates creates a Lambda rotation function for a different combination of database and rotation strategy. The first bullet under each shows the database or service supported by the function. The second bullet describes the rotation strategy implemented by the function. The third bullet specifies the JSON structure the rotation function expects to find in the SecretString value of the rotated secret.

RDS databases

RDS MariaDB Single User
RDS MariaDB Master User
RDS MySQL Single User
RDS MySQL Multiple Users
RDS Oracle Single User
RDS Oracle Master User
RDS PostgreSQL Single User
RDS PostgreSQL Master User
RDS Microsoft SQLServer Single User
RDS Microsoft SQLServer Master User

Other databases and services

MongoDB Single User
MongoDB Master User
Amazon Redshift Single User
Amazon Redshift Primary User
Generic Rotation Function Template

Templates for Amazon RDS Databases

RDS MariaDB Single User

Name: SecretsManagerRDSMariaDBRotationSingleUser
Supported database/service: MariaDB database hosted on an Amazon Relational Database Service (Amazon RDS) database instance.
Rotation strategy: This changes the password for a user with credentials stored in the rotated secret. For more information about this strategy, see Rotating AWS Secrets Manager Secrets for One User with a Single Password.

Expected SecretString structure:


{
  "engine": "mariadb",
  "host": "<required: instance host name/resolvable DNS name>",
  "username": "<required: username>",
  "password": "<required: password>",
  "dbname": "<optional: database name. If not specified, defaults to None>",
  "port": "<optional: TCP port number. If not specified, defaults to 3306>"
}

Source code

RDS MariaDB Master User

Name: SecretsManagerRDSMariaDBRotationMultiUser
Supported database/service: MariaDB database hosted on an Amazon RDS database instance.
Rotation strategy: Two users alternate during rotation by using the credentials of a separate master user, stored in a separate secret. Secrets Manager changes the password of the inactive user before the user becomes the active user. For more information about this strategy, see Rotating AWS Secrets Manager Secrets by Alternating Between Two Existing Users.

Expected SecretString structure:


{
  "engine": "mariadb",
  "host": "<required: instance host name/resolvable DNS name>",
  "username": "<required: username>",
  "password": "<required: password>",
  "dbname": "<optional: database name. If not specified, defaults to None>",
  "port": "<optional: TCP port number. If not specified, defaults to 3306>",
  "masterarn": "<required: the ARN of the master secret used to create 2nd user and change passwords>"
}

Source code

RDS MySQL Single User

Name: SecretsManagerRDSMySQLRotationSingleUser
Supported database/service: MySQL database hosted on an Amazon Relational Database Service (Amazon RDS) database instance.
Rotation strategy: This changes the password for a user with credentials stored in the rotated secret. For more information about this strategy, see Rotating AWS Secrets Manager Secrets for One User with a Single Password.

Expected SecretString structure:


{
  "engine": "mysql",
  "host": "<required: instance host name/resolvable DNS name>",
  "username": "<required: username>",
  "password": "<required: password>",
  "dbname": "<optional: database name. If not specified, defaults to None>",
  "port": "<optional: TCP port number. If not specified, defaults to 3306>"
}

Source code

RDS MySQL Multiple Users

Name: SecretsManagerRDSMySQLRotationMultiUser
Supported database/service: MySQL database hosted on an Amazon RDS database instance.
Rotation strategy: Two users alternate during rotation by using the credentials of a separate master user, stored in a separate secret. Secrets Manager changes the password of the inactive user before the user becomes the active user. For more information about this strategy, see Rotating AWS Secrets Manager Secrets by Alternating Between Two Existing Users.

Expected SecretString structure:


{
  "engine": "mysql",
  "host": "<required: instance host name/resolvable DNS name>",
  "username": "<required: username>",
  "password": "<required: password>",
  "dbname": "<optional: database name. If not specified, defaults to None>",
  "port": "<optional: TCP port number. If not specified, defaults to 3306>",
  "masterarn": "<required: the ARN of the master secret used to create 2nd user and change passwords>"
}

Source code

RDS Oracle Single User

Name: SecretsManagerRDSOracleRotationSingleUser
Supported database/service: Oracle database hosted on an Amazon Relational Database Service (Amazon RDS) database instance.
Rotation strategy: This changes the password for a user with credentials stored in the rotated secret. For more information about this strategy, see Rotating AWS Secrets Manager Secrets for One User with a Single Password.

Expected SecretString structure:


{
  "engine": "oracle",
  "host": "<required: instance host name/resolvable DNS name>",
  "username": "<required: username>",
  "password": "<required: password>",
  "dbname": "<required: database name>",
  "port": "<optional: TCP port number. If not specified, defaults to 1521>"
}

Source code

RDS Oracle Master User

Name: SecretsManagerRDSOracleRotationMultiUser
Supported database/service: Oracle database hosted on an Amazon RDS database instance.
Rotation strategy: Two users alternate during rotation by using the credentials of a separate master user, stored in a separate secret. Secrets Manager changes the password of the inactive user before the user becomes the active user. For more information about this strategy, see Rotating AWS Secrets Manager Secrets by Alternating Between Two Existing Users.

Expected SecretString structure:


{
  "engine": "oracle",
  "host": "<required: instance host name/resolvable DNS name>",
  "username": "<required: username>",
  "password": "<required: password>",
  "dbname": "<required: database name>",
  "port": "<optional: TCP port number. If not specified, defaults to 1521>",
  "masterarn": "<required: the ARN of the master secret used to create 2nd user and change passwords>"
}

Source code

RDS PostgreSQL Single User

Name: SecretsManagerRDSPostgreSQLRotationSingleUser
Supported database/service: PostgreSQL database hosted on an Amazon RDS database instance.
Rotation strategy: This changes the password for a user with credentials stored in the rotated secret. For more information about this strategy, see Rotating AWS Secrets Manager Secrets for One User with a Single Password.

Expected SecretString structure:


{
  "engine": "postgres",
  "host": "<required: instance host name/resolvable DNS name>",
  "username": "<required: username>",
  "password": "<required: password>",
  "dbname": "<optional: database name. If not specified, defaults to 'postgres'>",
  "port": "<optional: TCP port number. If not specified, defaults to 5432>"
}

Source code

RDS PostgreSQL Master User

Name: SecretsManagerRDSPostgreSQLRotationMultiUser
Supported database/service: PostgreSQL database hosted on an Amazon RDS database instance.
Rotation strategy: Two users alternate during rotation by using the credentials of a separate master user, stored in a separate secret. Secrets Manager changes the password of the inactive user before the user becomes the active user. For more information about this strategy, see Rotating AWS Secrets Manager Secrets by Alternating Between Two Existing Users.

Expected SecretString structure:


{
  "engine": "postgres",
  "host": "<required: instance host name/resolvable DNS name>",
  "username": "<required: username>",
  "password": "<required: password>",
  "dbname": "<optional: database name. If not specified, defaults to 'postgres'>",
  "port": "<optional: TCP port number. If not specified, defaults to 5432>",
  "masterarn": "<required: the ARN of the master secret used to create 2nd user and change passwords>"
}

Source code

RDS Microsoft SQLServer Single User

Name: SecretsManagerRDSSQLServerRotationSingleUser
Supported database/service: Microsoft SQLServer database hosted on an Amazon RDS database instance.
Rotation strategy: This changes the password for a user with credentials stored in the rotated secret. For more information about this strategy, see Rotating AWS Secrets Manager Secrets for One User with a Single Password.

Expected SecretString structure:


{
  "engine": "sqlserver",
  "host": "<required: instance host name/resolvable DNS name>",
  "username": "<required: username>",
  "password": "<required: password>",
  "dbname": "<optional: database name. If not specified, defaults to 'master'>",
  "port": "<optional: TCP port number. If not specified, defaults to 1433>"
}

Source code

RDS Microsoft SQLServer Master User

Name: SecretsManagerRDSSQLServerRotationMultiUser
Supported database/service: Microsoft SQLServer database hosted on an Amazon RDS database instance.
Rotation strategy: Two users alternate during rotation by using the credentials of a separate master user, stored in a separate secret. Secrets Manager changes the password of the inactive user before the user becomes the active user. For more information about this strategy, see Rotating AWS Secrets Manager Secrets by Alternating Between Two Existing Users.

Expected SecretString structure:


{
  "engine": "sqlserver",
  "host": "<required: instance host name/resolvable DNS name>",
  "username": "<required: username>",
  "password": "<required: password>",
  "dbname": "<optional: database name. If not specified, defaults to 'master'>",
  "port": "<optional: TCP port number. If not specified, defaults to 1433>",
  "masterarn": "<required: the ARN of the master secret used to create 2nd user and change passwords>"
}

Source code

Templates for Other Databases

MongoDB Single User

Name: SecretsManagerMongoDBRotationSingleUser
Supported database/service: MongoDB database version 3.2 or 3.4.
Rotation strategy: This changes the password for a user with credentials stored in the rotated secret. For more information about this strategy, see Rotating AWS Secrets Manager Secrets for One User with a Single Password.

Expected SecretString structure:


{
  "engine": "mongo",
  "host": "<required: instance host name/resolvable DNS name>",
  "username": "<required: username>",
  "password": "<required: password>",
  "dbname": "<optional: database name. If not specified, defaults to None>",
  "port": "<optional: TCP port number. If not specified, defaults to 27017>"
}

Source code: Source code

MongoDB Master User

Name: SecretsManagerMongoDBRotationMultiUser
Supported database or service: MongoDB database version 3.2 or 3.4.
Rotation strategy: Two users alternate during rotation by using the credentials of a separate master user, and stored in a separate secret.Secrets Manager changes the password of the inactive user before the user becomes the active user. For more information about this strategy, see Rotating AWS Secrets Manager Secrets by Alternating Between Two Existing Users.

Expected SecretString structure:


{
  "engine": "mongo",
  "host": "<required: instance host name/resolvable DNS name>",
  "username": "<required: username>",
  "password": "<required: password>",
  "dbname": "<optional: database name. If not specified, defaults to None>",
  "port": "<optional: TCP port number. If not specified, defaults to 27017>",
  "masterarn": "<required: the ARN of the master secret used to create 2nd user and change passwords>"
}

Source code

Amazon Redshift Single User


arn:aws:serverlessrepo:us-east-1:123456789012:applications/SecretsManagerRDSMySQLRotationSingleUser

Name: SecretsManagerRedshiftRotationSingleUser
Supported database/service: Amazon Redshift
Rotation strategy: This changes the password for a user with credentials stored in the rotated secret. For more information about this strategy, see Rotating AWS Secrets Manager Secrets for One User with a Single Password.

Expected SecretString structure:


{
  "engine": "redshift",
  "host": "<required: instance host name/resolvable DNS name>",
  "username": "<required: username>",
  "password": "<required: password>",
  "dbname": "<optional: database name. If not specified, defaults to None>",
  "port": "<optional: TCP port number. If not specified, defaults to 5439>"
}

Source code

Amazon Redshift Primary User

Name: SecretsManagerRedshiftRotationMultiUser
Supported database/service: Amazon Redshift
Rotation strategy: Two users alternate during rotation by using the credentials of a separate primary user, stored in a separate secret. Secrets Manager changes the password of the inactive user before becoming the active user. For more information about this strategy, see Rotating AWS Secrets Manager Secrets by Alternating Between Two Existing Users.

Expected SecretString structure:


{
  "engine": "redshift",
  "host": "<required: instance host name/resolvable DNS name",
  "username": "<required: username>",
  "password": "<required: password>",
  "dbname": "<optional: database name. If not specified, defaults to None",
  "port": "<optional: TCP port number. If not specified, defaults to 5439",
  "masterarn": "<required: the master secret ARN used to create 2nd user and change passwords"
}

Source code

Templates for Other Services

Generic Rotation Function Template

Name: SecretsManagerRotationTemplate
Supported database/service: None. You supply the code to interact with whatever service you want.
Rotation strategy: None. You supply the code to implement whatever rotation strategy you want. For more information about customizing your own function, see Understanding and customizing your Lambda rotation function.
Expected SecretString structure: You define this as part of your written code.
Source code: Source code

Warning Javascript is disabled or is unavailable in your browser.

To use the AWS Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Quotas for AWS Secrets Manager

Managed Policies