AWS Documentation » AWS Secrets Manager » User Guide » AWS Secrets Manager Reference » AWS Templates You Can Use to Create Lambda Rotation Functions

AWS Templates You Can Use to Create Lambda Rotation Functions

This section identifies the AWS managed templates that you can use to create a Lambda rotation function for your AWS Secrets Manager secret. These templates are associated with the AWS Serverless Application Repository, which uses AWS CloudFormation to create 'stacks' of preconfigured resources. In this case, they create a stack that consists of the Lambda function and an IAM role that Secrets Manager can assume to invoke the function when rotation occurs.

To create a Lambda rotation function with any of the following templates, you can copy and paste the ARN of the specified template into the CLI commands described in the topic Rotating AWS Secrets Manager Secrets for Other Databases or Services.

Each of the following templates creates a Lambda rotation function for a different combination of database and rotation strategy. The first bullet under each shows the database or service that the function supports. The second bullet describes the rotation strategy that's implemented by the function. The third bullet specifies the JSON structure that the rotation function expects to find in the SecretString value of the secret being rotated.

RDS databases

• RDS MariaDB Single User

• RDS MariaDB Master User

• RDS MySQL Single User

• RDS MySQL Master User

• RDS Oracle Single User

• RDS Oracle Master User

• RDS PostgreSQL Single User

• RDS PostgreSQL Master User

• RDS Microsoft SQLServer Single User

• RDS Microsoft SQLServer Master User

Other databases and services

• Generic Rotation Function Template

Templates for Databases Running on Amazon RDS

RDS MariaDB Single User

arn:aws:serverlessrepo:us-east-1:297356227824:applications/SecretsManagerRDSMariaDBRotationSingleUser

• Name: SecretsManagerRDSMariaDBRotationSingleUser

• Supported database/service: MariaDB database that's hosted on an Amazon Relational Database Service (Amazon RDS) database instance.

• Rotation strategy: This changes the password for a user whose credentials are stored in the secret that's rotated. For more information about this strategy, see Rotating AWS Secrets Manager Secrets for One User with a Single Password.

• Expected SecretString structure:

  {
    "engine": "mariadb",
    "host": "<required: instance host name/resolvable DNS name>",
    "username": "<required: username>",
    "password": "<required: password>",
    "dbname": "<optional: database name. If not specified, defaults to None>",
    "port": "<optional: TCP port number. If not specified, defaults to 3306>"
  }

• Source code: Secrets Manager Lambda Rotation Template: RDS MariaDB Single User

RDS MariaDB Master User

arn:aws:serverlessrepo:us-east-1:297356227824:applications/SecretsManagerRDSMariaDBRotationMultiUser

• Name: SecretsManagerRDSMariaDBRotationMultiUser

• Supported database/service: MariaDB database that's hosted on an Amazon RDS database instance.

• Rotation strategy: Two users are alternated during rotation by using the credentials of a separate master user, which is stored in a separate secret. The user that's not currently active has its password changed before it's made the active user. For more information about this strategy, see Rotating AWS Secrets Manager Secrets by Alternating Between Two Existing Users.

• Expected SecretString structure:

  {
    "engine": "mariadb",
    "host": "<required: instance host name/resolvable DNS name>",
    "username": "<required: username>",
    "password": "<required: password>",
    "dbname": "<optional: database name. If not specified, defaults to None>",
    "port": "<optional: TCP port number. If not specified, defaults to 3306>",
    "masterarn": "<required: the ARN of the master secret used to create 2nd user and change passwords>"
  }

• Source code: Secrets Manager Lambda Rotation Template: RDS MariaDB Multiple User

RDS MySQL Single User

arn:aws:serverlessrepo:us-east-1:297356227824:applications/SecretsManagerRDSMySQLRotationSingleUser

• Name: SecretsManagerRDSMySQLRotationSingleUser

• Supported database/service: MySQL database that's hosted on an Amazon Relational Database Service (Amazon RDS) database instance.

• Rotation strategy: This changes the password for a user whose credentials are stored in the secret that's rotated. For more information about this strategy, see Rotating AWS Secrets Manager Secrets for One User with a Single Password.

• Expected SecretString structure:

  {
    "engine": "mysql",
    "host": "<required: instance host name/resolvable DNS name>",
    "username": "<required: username>",
    "password": "<required: password>",
    "dbname": "<optional: database name. If not specified, defaults to None>",
    "port": "<optional: TCP port number. If not specified, defaults to 3306>"
  }

• Source code: Secrets Manager Lambda Rotation Template: RDS MySQL Single User

RDS MySQL Master User

arn:aws:serverlessrepo:us-east-1:297356227824:applications/SecretsManagerRDSMySQLRotationMultiUser

• Name: SecretsManagerRDSMySQLRotationMultiUser

• Supported database/service: MySQL database that's hosted on an Amazon RDS database instance.

• Rotation strategy: Two users are alternated during rotation by using the credentials of a separate master user, which is stored in a separate secret. The user that's not currently active has its password changed before it's made the active user. For more information about this strategy, see Rotating AWS Secrets Manager Secrets by Alternating Between Two Existing Users.

• Expected SecretString structure:

  {
    "engine": "mysql",
    "host": "<required: instance host name/resolvable DNS name>",
    "username": "<required: username>",
    "password": "<required: password>",
    "dbname": "<optional: database name. If not specified, defaults to None>",
    "port": "<optional: TCP port number. If not specified, defaults to 3306>",
    "masterarn": "<required: the ARN of the master secret used to create 2nd user and change passwords>"
  }

• Source code: Secrets Manager Lambda Rotation Template: RDS MySQL Multiple User

RDS Oracle Single User

arn:aws:serverlessrepo:us-east-1:297356227824:applications/SecretsManagerRDSOracleRotationSingleUser

• Name: SecretsManagerRDSOracleRotationSingleUser

• Supported database/service: Oracle database that's hosted on an Amazon Relational Database Service (Amazon RDS) database instance.

• Rotation strategy: This changes the password for a user whose credentials are stored in the secret that's rotated. For more information about this strategy, see Rotating AWS Secrets Manager Secrets for One User with a Single Password.

• Expected SecretString structure:

  {
    "engine": "oracle",
    "host": "<required: instance host name/resolvable DNS name>",
    "username": "<required: username>",
    "password": "<required: password>",
    "dbname": "<required: database name>",
    "port": "<optional: TCP port number. If not specified, defaults to 1521>"
  }

• Source code: Secrets Manager Lambda Rotation Template: RDS Oracle Single User

RDS Oracle Master User

arn:aws:serverlessrepo:us-east-1:297356227824:applications/SecretsManagerRDSOracleRotationMultiUser

• Name: SecretsManagerRDSOracleRotationMultiUser

• Supported database/service: Oracle database that's hosted on an Amazon RDS database instance.

• Rotation strategy: Two users are alternated during rotation by using the credentials of a separate master user, which is stored in a separate secret. The user that's not currently active has its password changed before it's made the active user. For more information about this strategy, see Rotating AWS Secrets Manager Secrets by Alternating Between Two Existing Users.

• Expected SecretString structure:

  {
    "engine": "oracle",
    "host": "<required: instance host name/resolvable DNS name>",
    "username": "<required: username>",
    "password": "<required: password>",
    "dbname": "<required: database name>",
    "port": "<optional: TCP port number. If not specified, defaults to 1521>",
    "masterarn": "<required: the ARN of the master secret used to create 2nd user and change passwords>"
  }

• Source code: Secrets Manager Lambda Rotation Template: RDS Oracle Multiple User

RDS PostgreSQL Single User

arn:aws:serverlessrepo:us-east-1:297356227824:applications/SecretsManagerRDSPostgreSQLRotationSingleUser

• Name: SecretsManagerRDSPostgreSQLRotationSingleUser

• Supported database/service: PostgreSQL database that's hosted on an Amazon RDS database instance.

• Rotation strategy: This changes the password for a user whose credentials are stored in the secret that's rotated. For more information about this strategy, see Rotating AWS Secrets Manager Secrets for One User with a Single Password.

• Expected SecretString structure:

  {
    "engine": "postgres",
    "host": "<required: instance host name/resolvable DNS name>",
    "username": "<required: username>",
    "password": "<required: password>",
    "dbname": "<optional: database name. If not specified, defaults to 'postgres'>",
    "port": "<optional: TCP port number. If not specified, defaults to 5432>"
  }

• Source code: Secrets Manager Lambda Rotation Template: RDS PostgreSQL Single User

RDS PostgreSQL Master User

arn:aws:serverlessrepo:us-east-1:297356227824:applications/SecretsManagerRDSPostgreSQLRotationMultiUser

• Name: SecretsManagerRDSPostgreSQLRotationMultiUser

• Supported database/service: PostgreSQL database that's hosted on an Amazon RDS database instance.

• Rotation strategy: Two users are alternated during rotation by using the credentials of a separate master user, which is stored in a separate secret. The user that's not currently active has its password changed before it's made the active user. For more information about this strategy, see Rotating AWS Secrets Manager Secrets by Alternating Between Two Existing Users.

• Expected SecretString structure:

  {
    "engine": "postgres",
    "host": "<required: instance host name/resolvable DNS name>",
    "username": "<required: username>",
    "password": "<required: password>",
    "dbname": "<optional: database name. If not specified, defaults to 'postgres'>",
    "port": "<optional: TCP port number. If not specified, defaults to 5432>",
    "masterarn": "<required: the ARN of the master secret used to create 2nd user and change passwords>"
  }

• Source code: Secrets Manager Lambda Rotation Template: RDS PostgreSQL Multiple User

RDS Microsoft SQLServer Single User

arn:aws:serverlessrepo:us-east-1:297356227824:applications/SecretsManagerRDSSQLServerRotationSingleUser

• Name: SecretsManagerRDSSQLServerRotationSingleUser

• Supported database/service: Microsoft SQLServer database that's hosted on an Amazon Relational Database Service (Amazon RDS) database instance.

• Rotation strategy: This changes the password for a user whose credentials are stored in the secret that's rotated. For more information about this strategy, see Rotating AWS Secrets Manager Secrets for One User with a Single Password.

• Expected SecretString structure:

  {
    "engine": "sqlserver",
    "host": "<required: instance host name/resolvable DNS name>",
    "username": "<required: username>",
    "password": "<required: password>",
    "dbname": "<optional: database name. If not specified, defaults to 'master'>",
    "port": "<optional: TCP port number. If not specified, defaults to 1433>"
  }

• Source code: Secrets Manager Lambda Rotation Template: RDS SQLServer Single User

RDS Microsoft SQLServer Master User

arn:aws:serverlessrepo:us-east-1:297356227824:applications/SecretsManagerRDSSQLServerRotationMultiUser

• Name: SecretsManagerRDSSQLServerRotationMultiUser

• Supported database/service: Microsoft SQLServer database that's hosted on an Amazon RDS database instance.

• Rotation strategy: Two users are alternated during rotation by using the credentials of a separate master user, which is stored in a separate secret. The user that's not currently active has its password changed before it's made the active user. For more information about this strategy, see Rotating AWS Secrets Manager Secrets by Alternating Between Two Existing Users.

• Expected SecretString structure:

  {
    "engine": "sqlserver",
    "host": "<required: instance host name/resolvable DNS name>",
    "username": "<required: username>",
    "password": "<required: password>",
    "dbname": "<optional: database name. If not specified, defaults to 'master'>",
    "port": "<optional: TCP port number. If not specified, defaults to 1433>",
    "masterarn": "<required: the ARN of the master secret used to create 2nd user and change passwords>"
  }

• Source code: Secrets Manager Lambda Rotation Template: RDS SQLServer Multiple User

Templates for Other Services

Generic Rotation Function Template

arn:aws:serverlessrepo:us-east-1:297356227824:applications/SecretsManagerRotationTemplate

• Name: SecretsManagerRotationTemplate

• Supported database/service: None. You supply the code to interact with whatever service you want.

• Rotation strategy: None. You supply the code to implement whatever rotation strategy you want. For more information about customizing your own function, see Understanding and Customizing Your Lambda Rotation Function.

• Expected SecretString structure: You define this as part of the code that you write.

• Source code: Secrets Manager Lambda Rotation Template: Generic Template That You Must Customize and Complete