AWS Secrets Manager
User Guide

AWS Templates You Can Use to Create Lambda Rotation Functions

This section identifies the AWS managed templates that you can use to create a Lambda rotation function for your AWS Secrets Manager secret. These templates are associated with the AWS Serverless Application Repository, which uses AWS CloudFormation to create 'stacks' of preconfigured resources. In this case, they create a stack that consists of the Lambda function and an IAM role that Secrets Manager can assume to invoke the function when rotation occurs.

To create a Lambda rotation function with any of the following templates, you can copy and paste the ARN of the specified template into the CLI commands described in the topic Rotating AWS Secrets Manager Secrets for Other Databases or Services.

Each of the following templates creates a Lambda rotation function for a different combination of database and rotation strategy. The first bullet under each shows the database or service that the function supports. The second bullet describes the rotation strategy that's implemented by the function. The third bullet specifies the JSON structure that the rotation function expects to find in the SecretString value of the secret being rotated.

RDS databases

Other databases and services

Templates for Databases Running on Amazon RDS

RDS MariaDB Single User

arn:aws:serverlessrepo:us-east-1:297356227824:applications/SecretsManagerRDSMariaDBRotationSingleUser
  • Name: SecretsManagerRDSMariaDBRotationSingleUser

  • Supported database/service: MariaDB database that's hosted on an Amazon Relational Database Service (Amazon RDS) database instance.

  • Rotation strategy: This changes the password for a user whose credentials are stored in the secret that's rotated. For more information about this strategy, see Rotating AWS Secrets Manager Secrets for One User with a Single Password.

  • Expected SecretString structure:

    { "engine": "mariadb", "host": "<required: instance host name/resolvable DNS name>", "username": "<required: username>", "password": "<required: password>", "dbname": "<optional: database name. If not specified, defaults to None>", "port": "<optional: TCP port number. If not specified, defaults to 3306>" }
  • Source code: Secrets Manager Lambda Rotation Template: RDS MariaDB Single User

RDS MariaDB Master User

arn:aws:serverlessrepo:us-east-1:297356227824:applications/SecretsManagerRDSMariaDBRotationMultiUser
  • Name: SecretsManagerRDSMariaDBRotationMultiUser

  • Supported database/service: MariaDB database that's hosted on an Amazon RDS database instance.

  • Rotation strategy: Two users are alternated during rotation by using the credentials of a separate master user, which is stored in a separate secret. The user that's not currently active has its password changed before it's made the active user. For more information about this strategy, see Rotating AWS Secrets Manager Secrets by Alternating Between Two Existing Users.

  • Expected SecretString structure:

    { "engine": "mariadb", "host": "<required: instance host name/resolvable DNS name>", "username": "<required: username>", "password": "<required: password>", "dbname": "<optional: database name. If not specified, defaults to None>", "port": "<optional: TCP port number. If not specified, defaults to 3306>", "masterarn": "<required: the ARN of the master secret used to create 2nd user and change passwords>" }
  • Source code: Secrets Manager Lambda Rotation Template: RDS MariaDB Multiple User

RDS MySQL Single User

arn:aws:serverlessrepo:us-east-1:297356227824:applications/SecretsManagerRDSMySQLRotationSingleUser
  • Name: SecretsManagerRDSMySQLRotationSingleUser

  • Supported database/service: MySQL database that's hosted on an Amazon Relational Database Service (Amazon RDS) database instance.

  • Rotation strategy: This changes the password for a user whose credentials are stored in the secret that's rotated. For more information about this strategy, see Rotating AWS Secrets Manager Secrets for One User with a Single Password.

  • Expected SecretString structure:

    { "engine": "mysql", "host": "<required: instance host name/resolvable DNS name>", "username": "<required: username>", "password": "<required: password>", "dbname": "<optional: database name. If not specified, defaults to None>", "port": "<optional: TCP port number. If not specified, defaults to 3306>" }
  • Source code: Secrets Manager Lambda Rotation Template: RDS MySQL Single User

RDS MySQL Master User

arn:aws:serverlessrepo:us-east-1:297356227824:applications/SecretsManagerRDSMySQLRotationMultiUser
  • Name: SecretsManagerRDSMySQLRotationMultiUser

  • Supported database/service: MySQL database that's hosted on an Amazon RDS database instance.

  • Rotation strategy: Two users are alternated during rotation by using the credentials of a separate master user, which is stored in a separate secret. The user that's not currently active has its password changed before it's made the active user. For more information about this strategy, see Rotating AWS Secrets Manager Secrets by Alternating Between Two Existing Users.

  • Expected SecretString structure:

    { "engine": "mysql", "host": "<required: instance host name/resolvable DNS name>", "username": "<required: username>", "password": "<required: password>", "dbname": "<optional: database name. If not specified, defaults to None>", "port": "<optional: TCP port number. If not specified, defaults to 3306>", "masterarn": "<required: the ARN of the master secret used to create 2nd user and change passwords>" }
  • Source code: Secrets Manager Lambda Rotation Template: RDS MySQL Multiple User

RDS Oracle Single User

arn:aws:serverlessrepo:us-east-1:297356227824:applications/SecretsManagerRDSOracleRotationSingleUser
  • Name: SecretsManagerRDSOracleRotationSingleUser

  • Supported database/service: Oracle database that's hosted on an Amazon Relational Database Service (Amazon RDS) database instance.

  • Rotation strategy: This changes the password for a user whose credentials are stored in the secret that's rotated. For more information about this strategy, see Rotating AWS Secrets Manager Secrets for One User with a Single Password.

  • Expected SecretString structure:

    { "engine": "oracle", "host": "<required: instance host name/resolvable DNS name>", "username": "<required: username>", "password": "<required: password>", "dbname": "<required: database name>", "port": "<optional: TCP port number. If not specified, defaults to 1521>" }
  • Source code: Secrets Manager Lambda Rotation Template: RDS Oracle Single User

RDS Oracle Master User

arn:aws:serverlessrepo:us-east-1:297356227824:applications/SecretsManagerRDSOracleRotationMultiUser
  • Name: SecretsManagerRDSOracleRotationMultiUser

  • Supported database/service: Oracle database that's hosted on an Amazon RDS database instance.

  • Rotation strategy: Two users are alternated during rotation by using the credentials of a separate master user, which is stored in a separate secret. The user that's not currently active has its password changed before it's made the active user. For more information about this strategy, see Rotating AWS Secrets Manager Secrets by Alternating Between Two Existing Users.

  • Expected SecretString structure:

    { "engine": "oracle", "host": "<required: instance host name/resolvable DNS name>", "username": "<required: username>", "password": "<required: password>", "dbname": "<required: database name>", "port": "<optional: TCP port number. If not specified, defaults to 1521>", "masterarn": "<required: the ARN of the master secret used to create 2nd user and change passwords>" }
  • Source code: Secrets Manager Lambda Rotation Template: RDS Oracle Multiple User

RDS PostgreSQL Single User

arn:aws:serverlessrepo:us-east-1:297356227824:applications/SecretsManagerRDSPostgreSQLRotationSingleUser
  • Name: SecretsManagerRDSPostgreSQLRotationSingleUser

  • Supported database/service: PostgreSQL database that's hosted on an Amazon RDS database instance.

  • Rotation strategy: This changes the password for a user whose credentials are stored in the secret that's rotated. For more information about this strategy, see Rotating AWS Secrets Manager Secrets for One User with a Single Password.

  • Expected SecretString structure:

    { "engine": "postgres", "host": "<required: instance host name/resolvable DNS name>", "username": "<required: username>", "password": "<required: password>", "dbname": "<optional: database name. If not specified, defaults to 'postgres'>", "port": "<optional: TCP port number. If not specified, defaults to 5432>" }
  • Source code: Secrets Manager Lambda Rotation Template: RDS PostgreSQL Single User

RDS PostgreSQL Master User

arn:aws:serverlessrepo:us-east-1:297356227824:applications/SecretsManagerRDSPostgreSQLRotationMultiUser
  • Name: SecretsManagerRDSPostgreSQLRotationMultiUser

  • Supported database/service: PostgreSQL database that's hosted on an Amazon RDS database instance.

  • Rotation strategy: Two users are alternated during rotation by using the credentials of a separate master user, which is stored in a separate secret. The user that's not currently active has its password changed before it's made the active user. For more information about this strategy, see Rotating AWS Secrets Manager Secrets by Alternating Between Two Existing Users.

  • Expected SecretString structure:

    { "engine": "postgres", "host": "<required: instance host name/resolvable DNS name>", "username": "<required: username>", "password": "<required: password>", "dbname": "<optional: database name. If not specified, defaults to 'postgres'>", "port": "<optional: TCP port number. If not specified, defaults to 5432>", "masterarn": "<required: the ARN of the master secret used to create 2nd user and change passwords>" }
  • Source code: Secrets Manager Lambda Rotation Template: RDS PostgreSQL Multiple User

RDS Microsoft SQLServer Single User

arn:aws:serverlessrepo:us-east-1:297356227824:applications/SecretsManagerRDSSQLServerRotationSingleUser
  • Name: SecretsManagerRDSSQLServerRotationSingleUser

  • Supported database/service: Microsoft SQLServer database that's hosted on an Amazon Relational Database Service (Amazon RDS) database instance.

  • Rotation strategy: This changes the password for a user whose credentials are stored in the secret that's rotated. For more information about this strategy, see Rotating AWS Secrets Manager Secrets for One User with a Single Password.

  • Expected SecretString structure:

    { "engine": "sqlserver", "host": "<required: instance host name/resolvable DNS name>", "username": "<required: username>", "password": "<required: password>", "dbname": "<optional: database name. If not specified, defaults to 'master'>", "port": "<optional: TCP port number. If not specified, defaults to 1433>" }
  • Source code: Secrets Manager Lambda Rotation Template: RDS SQLServer Single User

RDS Microsoft SQLServer Master User

arn:aws:serverlessrepo:us-east-1:297356227824:applications/SecretsManagerRDSSQLServerRotationMultiUser
  • Name: SecretsManagerRDSSQLServerRotationMultiUser

  • Supported database/service: Microsoft SQLServer database that's hosted on an Amazon RDS database instance.

  • Rotation strategy: Two users are alternated during rotation by using the credentials of a separate master user, which is stored in a separate secret. The user that's not currently active has its password changed before it's made the active user. For more information about this strategy, see Rotating AWS Secrets Manager Secrets by Alternating Between Two Existing Users.

  • Expected SecretString structure:

    { "engine": "sqlserver", "host": "<required: instance host name/resolvable DNS name>", "username": "<required: username>", "password": "<required: password>", "dbname": "<optional: database name. If not specified, defaults to 'master'>", "port": "<optional: TCP port number. If not specified, defaults to 1433>", "masterarn": "<required: the ARN of the master secret used to create 2nd user and change passwords>" }
  • Source code: Secrets Manager Lambda Rotation Template: RDS SQLServer Multiple User

Templates for Other Services

Generic Rotation Function Template

arn:aws:serverlessrepo:us-east-1:297356227824:applications/SecretsManagerRotationTemplate