AWS Templates You Can Use to Create Lambda Rotation Functions
This section identifies the AWS managed templates that you can use to create a Lambda rotation function for your AWS Secrets Manager secret. These templates are associated with the AWS Serverless Application Repository, which uses AWS CloudFormation to create 'stacks' of preconfigured resources. In this case, they create a stack that consists of the Lambda function and an IAM role that Secrets Manager can assume to invoke the function when rotation occurs.
To create a Lambda rotation function with any of the following templates, you can copy and paste the ARN of the specified template into the CLI commands described in the topic Rotating AWS Secrets Manager Secrets for Other Databases or Services.
Each of the following templates creates a Lambda rotation function for a different
combination of database and rotation strategy. The first bullet under each shows the
database or
service that the function supports. The second bullet describes the rotation strategy
that's
implemented by the function. The third bullet specifies the JSON structure that the
rotation
function expects to find in the SecretString value of the secret being
rotated.
RDS databases
Other databases and services
Templates for Databases Running on Amazon RDS
RDS MariaDB Single User
arn:aws:serverlessrepo:us-east-1:297356227824:applications/SecretsManagerRDSMariaDBRotationSingleUser
-
Name: SecretsManagerRDSMariaDBRotationSingleUser
-
Supported database/service: MariaDB database that's hosted on an Amazon Relational Database Service (Amazon RDS) database instance.
-
Rotation strategy: This changes the password for a user whose credentials are stored in the secret that's rotated. For more information about this strategy, see Rotating AWS Secrets Manager Secrets for One User with a Single Password.
-
Expected
SecretStringstructure:{ "engine": "mariadb", "host": "<required: instance host name/resolvable DNS name>", "username": "<required: username>", "password": "<required: password>", "dbname": "<optional: database name. If not specified, defaults to None>", "port": "<optional: TCP port number. If not specified, defaults to 3306>" }
RDS MariaDB Master User
arn:aws:serverlessrepo:us-east-1:297356227824:applications/SecretsManagerRDSMariaDBRotationMultiUser
-
Name: SecretsManagerRDSMariaDBRotationMultiUser
-
Supported database/service: MariaDB database that's hosted on an Amazon RDS database instance.
-
Rotation strategy: Two users are alternated during rotation by using the credentials of a separate master user, which is stored in a separate secret. The user that's not currently active has its password changed before it's made the active user. For more information about this strategy, see Rotating AWS Secrets Manager Secrets by Alternating Between Two Existing Users.
-
Expected
SecretStringstructure:{ "engine": "mariadb", "host": "<required: instance host name/resolvable DNS name>", "username": "<required: username>", "password": "<required: password>", "dbname": "<optional: database name. If not specified, defaults to None>", "port": "<optional: TCP port number. If not specified, defaults to 3306>", "masterarn": "<required: the ARN of the master secret used to create 2nd user and change passwords>" }
RDS MySQL Single User
arn:aws:serverlessrepo:us-east-1:297356227824:applications/SecretsManagerRDSMySQLRotationSingleUser
-
Name: SecretsManagerRDSMySQLRotationSingleUser
-
Supported database/service: MySQL database that's hosted on an Amazon Relational Database Service (Amazon RDS) database instance.
-
Rotation strategy: This changes the password for a user whose credentials are stored in the secret that's rotated. For more information about this strategy, see Rotating AWS Secrets Manager Secrets for One User with a Single Password.
-
Expected
SecretStringstructure:{ "engine": "mysql", "host": "<required: instance host name/resolvable DNS name>", "username": "<required: username>", "password": "<required: password>", "dbname": "<optional: database name. If not specified, defaults to None>", "port": "<optional: TCP port number. If not specified, defaults to 3306>" }
RDS MySQL Master User
arn:aws:serverlessrepo:us-east-1:297356227824:applications/SecretsManagerRDSMySQLRotationMultiUser
-
Name: SecretsManagerRDSMySQLRotationMultiUser
-
Supported database/service: MySQL database that's hosted on an Amazon RDS database instance.
-
Rotation strategy: Two users are alternated during rotation by using the credentials of a separate master user, which is stored in a separate secret. The user that's not currently active has its password changed before it's made the active user. For more information about this strategy, see Rotating AWS Secrets Manager Secrets by Alternating Between Two Existing Users.
-
Expected
SecretStringstructure:{ "engine": "mysql", "host": "<required: instance host name/resolvable DNS name>", "username": "<required: username>", "password": "<required: password>", "dbname": "<optional: database name. If not specified, defaults to None>", "port": "<optional: TCP port number. If not specified, defaults to 3306>", "masterarn": "<required: the ARN of the master secret used to create 2nd user and change passwords>" }
RDS Oracle Single User
arn:aws:serverlessrepo:us-east-1:297356227824:applications/SecretsManagerRDSOracleRotationSingleUser
-
Name: SecretsManagerRDSOracleRotationSingleUser
-
Supported database/service: Oracle database that's hosted on an Amazon Relational Database Service (Amazon RDS) database instance.
-
Rotation strategy: This changes the password for a user whose credentials are stored in the secret that's rotated. For more information about this strategy, see Rotating AWS Secrets Manager Secrets for One User with a Single Password.
-
Expected
SecretStringstructure:{ "engine": "oracle", "host": "<required: instance host name/resolvable DNS name>", "username": "<required: username>", "password": "<required: password>", "dbname": "<required: database name>", "port": "<optional: TCP port number. If not specified, defaults to 1521>" }
RDS Oracle Master User
arn:aws:serverlessrepo:us-east-1:297356227824:applications/SecretsManagerRDSOracleRotationMultiUser
-
Name: SecretsManagerRDSOracleRotationMultiUser
-
Supported database/service: Oracle database that's hosted on an Amazon RDS database instance.
-
Rotation strategy: Two users are alternated during rotation by using the credentials of a separate master user, which is stored in a separate secret. The user that's not currently active has its password changed before it's made the active user. For more information about this strategy, see Rotating AWS Secrets Manager Secrets by Alternating Between Two Existing Users.
-
Expected
SecretStringstructure:{ "engine": "oracle", "host": "<required: instance host name/resolvable DNS name>", "username": "<required: username>", "password": "<required: password>", "dbname": "<required: database name>", "port": "<optional: TCP port number. If not specified, defaults to 1521>", "masterarn": "<required: the ARN of the master secret used to create 2nd user and change passwords>" }
RDS PostgreSQL Single User
arn:aws:serverlessrepo:us-east-1:297356227824:applications/SecretsManagerRDSPostgreSQLRotationSingleUser
-
Name: SecretsManagerRDSPostgreSQLRotationSingleUser
-
Supported database/service: PostgreSQL database that's hosted on an Amazon RDS database instance.
-
Rotation strategy: This changes the password for a user whose credentials are stored in the secret that's rotated. For more information about this strategy, see Rotating AWS Secrets Manager Secrets for One User with a Single Password.
-
Expected
SecretStringstructure:{ "engine": "postgres", "host": "<required: instance host name/resolvable DNS name>", "username": "<required: username>", "password": "<required: password>", "dbname": "<optional: database name. If not specified, defaults to 'postgres'>", "port": "<optional: TCP port number. If not specified, defaults to 5432>" }
RDS PostgreSQL Master User
arn:aws:serverlessrepo:us-east-1:297356227824:applications/SecretsManagerRDSPostgreSQLRotationMultiUser
-
Name: SecretsManagerRDSPostgreSQLRotationMultiUser
-
Supported database/service: PostgreSQL database that's hosted on an Amazon RDS database instance.
-
Rotation strategy: Two users are alternated during rotation by using the credentials of a separate master user, which is stored in a separate secret. The user that's not currently active has its password changed before it's made the active user. For more information about this strategy, see Rotating AWS Secrets Manager Secrets by Alternating Between Two Existing Users.
-
Expected
SecretStringstructure:{ "engine": "postgres", "host": "<required: instance host name/resolvable DNS name>", "username": "<required: username>", "password": "<required: password>", "dbname": "<optional: database name. If not specified, defaults to 'postgres'>", "port": "<optional: TCP port number. If not specified, defaults to 5432>", "masterarn": "<required: the ARN of the master secret used to create 2nd user and change passwords>" }
RDS Microsoft SQLServer Single User
arn:aws:serverlessrepo:us-east-1:297356227824:applications/SecretsManagerRDSSQLServerRotationSingleUser
-
Name: SecretsManagerRDSSQLServerRotationSingleUser
-
Supported database/service: Microsoft SQLServer database that's hosted on an Amazon Relational Database Service (Amazon RDS) database instance.
-
Rotation strategy: This changes the password for a user whose credentials are stored in the secret that's rotated. For more information about this strategy, see Rotating AWS Secrets Manager Secrets for One User with a Single Password.
-
Expected
SecretStringstructure:{ "engine": "sqlserver", "host": "<required: instance host name/resolvable DNS name>", "username": "<required: username>", "password": "<required: password>", "dbname": "<optional: database name. If not specified, defaults to 'master'>", "port": "<optional: TCP port number. If not specified, defaults to 1433>" }
RDS Microsoft SQLServer Master User
arn:aws:serverlessrepo:us-east-1:297356227824:applications/SecretsManagerRDSSQLServerRotationMultiUser
-
Name: SecretsManagerRDSSQLServerRotationMultiUser
-
Supported database/service: Microsoft SQLServer database that's hosted on an Amazon RDS database instance.
-
Rotation strategy: Two users are alternated during rotation by using the credentials of a separate master user, which is stored in a separate secret. The user that's not currently active has its password changed before it's made the active user. For more information about this strategy, see Rotating AWS Secrets Manager Secrets by Alternating Between Two Existing Users.
-
Expected
SecretStringstructure:{ "engine": "sqlserver", "host": "<required: instance host name/resolvable DNS name>", "username": "<required: username>", "password": "<required: password>", "dbname": "<optional: database name. If not specified, defaults to 'master'>", "port": "<optional: TCP port number. If not specified, defaults to 1433>", "masterarn": "<required: the ARN of the master secret used to create 2nd user and change passwords>" }
Templates for Other Services
Generic Rotation Function Template
arn:aws:serverlessrepo:us-east-1:297356227824:applications/SecretsManagerRotationTemplate
-
Name: SecretsManagerRotationTemplate
-
Supported database/service: None. You supply the code to interact with whatever service you want.
-
Rotation strategy: None. You supply the code to implement whatever rotation strategy you want. For more information about customizing your own function, see Understanding and Customizing Your Lambda Rotation Function.
-
Expected
SecretStringstructure: You define this as part of the code that you write. -
Source code: Source code
