AWS Templates You Can Use to Create Lambda Rotation Functions - AWS Secrets Manager

AWS Templates You Can Use to Create Lambda Rotation Functions

This section identifies the AWS managed templates you can use to create a Lambda rotation function for your AWS Secrets Manager secret. These templates associate with the AWS Serverless Application Repository, which uses AWS CloudFormation to create 'stacks' of preconfigured resources. In this case, the templates create a stack that consists of the Lambda function and an IAM role that Secrets Manager can assume to invoke the function when rotation occurs.

To create a Lambda rotation function with any of the following templates, you can copy and paste the ARN of the specified template into the CLI commands described in the topic Rotating AWS Secrets Manager secrets for other databases or services.

Each of the following templates creates a Lambda rotation function for a different combination of database and rotation strategy. The first bullet under each shows the database or service supported by the function. The second bullet describes the rotation strategy implemented by the function. The third bullet specifies the JSON structure the rotation function expects to find in the SecretString value of the rotated secret.

RDS databases

Other databases and services

Templates for Amazon RDS Databases

RDS MariaDB Single User

  • Name: SecretsManagerRDSMariaDBRotationSingleUser

  • Supported database/service: MariaDB database hosted on an Amazon Relational Database Service (Amazon RDS) database instance.

  • Rotation strategy: This changes the password for a user with credentials stored in the rotated secret. For more information about this strategy, see Rotating AWS Secrets Manager Secrets for One User with a Single Password.

  • Expected SecretString structure:

    { "engine": "mariadb", "host": "<required: instance host name/resolvable DNS name>", "username": "<required: username>", "password": "<required: password>", "dbname": "<optional: database name. If not specified, defaults to None>", "port": "<optional: TCP port number. If not specified, defaults to 3306>" }
  • Source code

RDS MariaDB Master User

  • Name: SecretsManagerRDSMariaDBRotationMultiUser

  • Supported database/service: MariaDB database hosted on an Amazon RDS database instance.

  • Rotation strategy: Two users alternate during rotation by using the credentials of a separate master user, stored in a separate secret. Secrets Manager changes the password of the inactive user before the user becomes the active user. For more information about this strategy, see Rotating AWS Secrets Manager Secrets by Alternating Between Two Existing Users.

  • Expected SecretString structure:

    { "engine": "mariadb", "host": "<required: instance host name/resolvable DNS name>", "username": "<required: username>", "password": "<required: password>", "dbname": "<optional: database name. If not specified, defaults to None>", "port": "<optional: TCP port number. If not specified, defaults to 3306>", "masterarn": "<required: the ARN of the master secret used to create 2nd user and change passwords>" }
  • Source code

RDS MySQL Single User

  • Name: SecretsManagerRDSMySQLRotationSingleUser

  • Supported database/service: MySQL database hosted on an Amazon Relational Database Service (Amazon RDS) database instance.

  • Rotation strategy: This changes the password for a user with credentials stored in the rotated secret. For more information about this strategy, see Rotating AWS Secrets Manager Secrets for One User with a Single Password.

  • Expected SecretString structure:

    { "engine": "mysql", "host": "<required: instance host name/resolvable DNS name>", "username": "<required: username>", "password": "<required: password>", "dbname": "<optional: database name. If not specified, defaults to None>", "port": "<optional: TCP port number. If not specified, defaults to 3306>" }
  • Source code

RDS MySQL Multiple Users

  • Name: SecretsManagerRDSMySQLRotationMultiUser

  • Supported database/service: MySQL database hosted on an Amazon RDS database instance.

  • Rotation strategy: Two users alternate during rotation by using the credentials of a separate master user, stored in a separate secret. Secrets Manager changes the password of the inactive user before the user becomes the active user. For more information about this strategy, see Rotating AWS Secrets Manager Secrets by Alternating Between Two Existing Users.

  • Expected SecretString structure:

    { "engine": "mysql", "host": "<required: instance host name/resolvable DNS name>", "username": "<required: username>", "password": "<required: password>", "dbname": "<optional: database name. If not specified, defaults to None>", "port": "<optional: TCP port number. If not specified, defaults to 3306>", "masterarn": "<required: the ARN of the master secret used to create 2nd user and change passwords>" }
  • Source code

RDS Oracle Single User

  • Name: SecretsManagerRDSOracleRotationSingleUser

  • Supported database/service: Oracle database hosted on an Amazon Relational Database Service (Amazon RDS) database instance.

  • Rotation strategy: This changes the password for a user with credentials stored in the rotated secret. For more information about this strategy, see Rotating AWS Secrets Manager Secrets for One User with a Single Password.

  • Expected SecretString structure:

    { "engine": "oracle", "host": "<required: instance host name/resolvable DNS name>", "username": "<required: username>", "password": "<required: password>", "dbname": "<required: database name>", "port": "<optional: TCP port number. If not specified, defaults to 1521>" }
  • Source code

RDS Oracle Master User

  • Name: SecretsManagerRDSOracleRotationMultiUser

  • Supported database/service: Oracle database hosted on an Amazon RDS database instance.

  • Rotation strategy: Two users alternate during rotation by using the credentials of a separate master user, stored in a separate secret. Secrets Manager changes the password of the inactive user before the user becomes the active user. For more information about this strategy, see Rotating AWS Secrets Manager Secrets by Alternating Between Two Existing Users.

  • Expected SecretString structure:

    { "engine": "oracle", "host": "<required: instance host name/resolvable DNS name>", "username": "<required: username>", "password": "<required: password>", "dbname": "<required: database name>", "port": "<optional: TCP port number. If not specified, defaults to 1521>", "masterarn": "<required: the ARN of the master secret used to create 2nd user and change passwords>" }
  • Source code

RDS PostgreSQL Single User

  • Name: SecretsManagerRDSPostgreSQLRotationSingleUser

  • Supported database/service: PostgreSQL database hosted on an Amazon RDS database instance.

  • Rotation strategy: This changes the password for a user with credentials stored in the rotated secret. For more information about this strategy, see Rotating AWS Secrets Manager Secrets for One User with a Single Password.

  • Expected SecretString structure:

    { "engine": "postgres", "host": "<required: instance host name/resolvable DNS name>", "username": "<required: username>", "password": "<required: password>", "dbname": "<optional: database name. If not specified, defaults to 'postgres'>", "port": "<optional: TCP port number. If not specified, defaults to 5432>" }
  • Source code

RDS PostgreSQL Master User

  • Name: SecretsManagerRDSPostgreSQLRotationMultiUser

  • Supported database/service: PostgreSQL database hosted on an Amazon RDS database instance.

  • Rotation strategy: Two users alternate during rotation by using the credentials of a separate master user, stored in a separate secret. Secrets Manager changes the password of the inactive user before the user becomes the active user. For more information about this strategy, see Rotating AWS Secrets Manager Secrets by Alternating Between Two Existing Users.

  • Expected SecretString structure:

    { "engine": "postgres", "host": "<required: instance host name/resolvable DNS name>", "username": "<required: username>", "password": "<required: password>", "dbname": "<optional: database name. If not specified, defaults to 'postgres'>", "port": "<optional: TCP port number. If not specified, defaults to 5432>", "masterarn": "<required: the ARN of the master secret used to create 2nd user and change passwords>" }
  • Source code

RDS Microsoft SQLServer Single User

  • Name: SecretsManagerRDSSQLServerRotationSingleUser

  • Supported database/service: Microsoft SQLServer database hosted on an Amazon RDS database instance.

  • Rotation strategy: This changes the password for a user with credentials stored in the rotated secret. For more information about this strategy, see Rotating AWS Secrets Manager Secrets for One User with a Single Password.

  • Expected SecretString structure:

    { "engine": "sqlserver", "host": "<required: instance host name/resolvable DNS name>", "username": "<required: username>", "password": "<required: password>", "dbname": "<optional: database name. If not specified, defaults to 'master'>", "port": "<optional: TCP port number. If not specified, defaults to 1433>" }
  • Source code

RDS Microsoft SQLServer Master User

  • Name: SecretsManagerRDSSQLServerRotationMultiUser

  • Supported database/service: Microsoft SQLServer database hosted on an Amazon RDS database instance.

  • Rotation strategy: Two users alternate during rotation by using the credentials of a separate master user, stored in a separate secret. Secrets Manager changes the password of the inactive user before the user becomes the active user. For more information about this strategy, see Rotating AWS Secrets Manager Secrets by Alternating Between Two Existing Users.

  • Expected SecretString structure:

    { "engine": "sqlserver", "host": "<required: instance host name/resolvable DNS name>", "username": "<required: username>", "password": "<required: password>", "dbname": "<optional: database name. If not specified, defaults to 'master'>", "port": "<optional: TCP port number. If not specified, defaults to 1433>", "masterarn": "<required: the ARN of the master secret used to create 2nd user and change passwords>" }
  • Source code

Templates for Other Databases

MongoDB Single User

  • Name: SecretsManagerMongoDBRotationSingleUser

  • Supported database/service: MongoDB database version 3.2 or 3.4.

  • Rotation strategy: This changes the password for a user with credentials stored in the rotated secret. For more information about this strategy, see Rotating AWS Secrets Manager Secrets for One User with a Single Password.

  • Expected SecretString structure:

    { "engine": "mongo", "host": "<required: instance host name/resolvable DNS name>", "username": "<required: username>", "password": "<required: password>", "dbname": "<optional: database name. If not specified, defaults to None>", "port": "<optional: TCP port number. If not specified, defaults to 27017>" }
  • Source code: Source code

MongoDB Master User

  • Name: SecretsManagerMongoDBRotationMultiUser

  • Supported database or service: MongoDB database version 3.2 or 3.4.

  • Rotation strategy: Two users alternate during rotation by using the credentials of a separate master user, and stored in a separate secret.Secrets Manager changes the password of the inactive user before the user becomes the active user. For more information about this strategy, see Rotating AWS Secrets Manager Secrets by Alternating Between Two Existing Users.

  • Expected SecretString structure:

    { "engine": "mongo", "host": "<required: instance host name/resolvable DNS name>", "username": "<required: username>", "password": "<required: password>", "dbname": "<optional: database name. If not specified, defaults to None>", "port": "<optional: TCP port number. If not specified, defaults to 27017>", "masterarn": "<required: the ARN of the master secret used to create 2nd user and change passwords>" }
  • Source code

Amazon Redshift Single User

arn:aws:serverlessrepo:us-east-1:123456789012:applications/SecretsManagerRDSMySQLRotationSingleUser
  • Name: SecretsManagerRedshiftRotationSingleUser

  • Supported database/service: Amazon Redshift

  • Rotation strategy: This changes the password for a user with credentials stored in the rotated secret. For more information about this strategy, see Rotating AWS Secrets Manager Secrets for One User with a Single Password.

  • Expected SecretString structure:

    { "engine": "redshift", "host": "<required: instance host name/resolvable DNS name>", "username": "<required: username>", "password": "<required: password>", "dbname": "<optional: database name. If not specified, defaults to None>", "port": "<optional: TCP port number. If not specified, defaults to 5439>" }
  • Source code

Amazon Redshift Primary User

  • Name: SecretsManagerRedshiftRotationMultiUser

  • Supported database/service: Amazon Redshift

  • Rotation strategy: Two users alternate during rotation by using the credentials of a separate primary user, stored in a separate secret. Secrets Manager changes the password of the inactive user before becoming the active user. For more information about this strategy, see Rotating AWS Secrets Manager Secrets by Alternating Between Two Existing Users.

  • Expected SecretString structure:

    { "engine": "redshift", "host": "<required: instance host name/resolvable DNS name", "username": "<required: username>", "password": "<required: password>", "dbname": "<optional: database name. If not specified, defaults to None", "port": "<optional: TCP port number. If not specified, defaults to 5439", "masterarn": "<required: the master secret ARN used to create 2nd user and change passwords" }
  • Source code

Templates for Other Services

Generic Rotation Function Template

  • Name: SecretsManagerRotationTemplate

  • Supported database/service: None. You supply the code to interact with whatever service you want.

  • Rotation strategy: None. You supply the code to implement whatever rotation strategy you want. For more information about customizing your own function, see Understanding and customizing your Lambda rotation function.

  • Expected SecretString structure: You define this as part of your written code.

  • Source code: Source code