AWS Secrets Manager rotation function templates
For Rotation by Lambda function, Secrets Manager provides a number of rotation function templates. To use the templates, see:
The templates support Python 3.9.
To write your own rotation function, see Write a rotation function.
Templates
- Amazon RDS and Amazon Aurora
- Amazon RDS Db2 single user
- Amazon RDS Db2 alternating users
- Amazon RDS MariaDB single user
- Amazon RDS MariaDB alternating users
- Amazon RDS and Amazon Aurora MySQL single user
- Amazon RDS and Amazon Aurora MySQL alternating users
- Amazon RDS Oracle single user
- Amazon RDS Oracle alternating users
- Amazon RDS and Amazon Aurora PostgreSQL single user
- Amazon RDS and Amazon Aurora PostgreSQL alternating users
- Amazon RDS Microsoft SQLServer single user
- Amazon RDS Microsoft SQLServer alternating users
- Amazon DocumentDB (with MongoDB compatibility)
- Amazon Redshift
- Amazon Timestream for InfluxDB
- Amazon ElastiCache
- Active Directory
- Other types of secrets
Amazon RDS and Amazon Aurora
Amazon RDS Db2 single user
-
Template name: SecretsManagerRDSDb2RotationSingleUser
-
Rotation strategy: Rotation strategy: single user.
-
SecretString
structure: Amazon RDS and Aurora credentials. -
Dependency: python-ibmdb
Amazon RDS Db2 alternating users
-
Template name: SecretsManagerRDSDb2RotationMultiUser
-
Rotation strategy: Rotation strategy: alternating users.
-
SecretString
structure: Amazon RDS and Aurora credentials. -
Dependency: python-ibmdb
Amazon RDS MariaDB single user
-
Template name: SecretsManagerRDSMariaDBRotationSingleUser
-
Rotation strategy: Rotation strategy: single user.
-
SecretString
structure: Amazon RDS and Aurora credentials. -
Dependency: PyMySQL 1.0.2. If you use sha256 password for authentication, PyMySQL[rsa]. For information about using packages with compiled code in a Lambda runtime, see How do I add Python packages with compiled binaries to my deployment package and make the package compatible with Lambda?
in AWS Knowledge Center.
Amazon RDS MariaDB alternating users
-
Template name: SecretsManagerRDSMariaDBRotationMultiUser
-
Rotation strategy: Rotation strategy: alternating users.
-
SecretString
structure: Amazon RDS and Aurora credentials. -
Dependency: PyMySQL 1.0.2. If you use sha256 password for authentication, PyMySQL[rsa]. For information about using packages with compiled code in a Lambda runtime, see How do I add Python packages with compiled binaries to my deployment package and make the package compatible with Lambda?
in AWS Knowledge Center.
Amazon RDS and Amazon Aurora MySQL single user
-
Template name: SecretsManagerRDSMySQLRotationSingleUser
-
Rotation strategy: Rotation strategy: single user.
-
Expected
SecretString
structure: Amazon RDS and Aurora credentials. -
Dependency: PyMySQL 1.0.2. If you use sha256 password for authentication, PyMySQL[rsa]. For information about using packages with compiled code in a Lambda runtime, see How do I add Python packages with compiled binaries to my deployment package and make the package compatible with Lambda?
in AWS Knowledge Center.
Amazon RDS and Amazon Aurora MySQL alternating users
-
Template name: SecretsManagerRDSMySQLRotationMultiUser
-
Rotation strategy: Rotation strategy: alternating users.
-
Expected
SecretString
structure: Amazon RDS and Aurora credentials. -
Dependency: PyMySQL 1.0.2. If you use sha256 password for authentication, PyMySQL[rsa]. For information about using packages with compiled code in a Lambda runtime, see How do I add Python packages with compiled binaries to my deployment package and make the package compatible with Lambda?
in AWS Knowledge Center.
Amazon RDS Oracle single user
-
Template name: SecretsManagerRDSOracleRotationSingleUser
-
Rotation strategy: Rotation strategy: single user.
-
Expected
SecretString
structure: Amazon RDS and Aurora credentials. -
Dependency: python-oracledb 2.0.1
Amazon RDS Oracle alternating users
-
Template name: SecretsManagerRDSOracleRotationMultiUser
-
Rotation strategy: Rotation strategy: alternating users.
-
Expected
SecretString
structure: Amazon RDS and Aurora credentials. -
Dependency: python-oracledb 2.0.1
Amazon RDS and Amazon Aurora PostgreSQL single user
-
Template name: SecretsManagerRDSPostgreSQLRotationSingleUser
-
Rotation strategy: Rotation strategy: single user.
-
Expected
SecretString
structure: Amazon RDS and Aurora credentials. -
Dependency: PyGreSQL 5.0.7
Amazon RDS and Amazon Aurora PostgreSQL alternating users
-
Template name: SecretsManagerRDSPostgreSQLRotationMultiUser
-
Rotation strategy: Rotation strategy: alternating users.
-
Expected
SecretString
structure: Amazon RDS and Aurora credentials. -
Dependency: PyGreSQL 5.0.7
Amazon RDS Microsoft SQLServer single user
-
Template name: SecretsManagerRDSSQLServerRotationSingleUser
-
Rotation strategy: Rotation strategy: single user.
-
Expected
SecretString
structure: Amazon RDS and Aurora credentials. -
Dependency: Pymssql 2.2.2
Amazon RDS Microsoft SQLServer alternating users
-
Template name: SecretsManagerRDSSQLServerRotationMultiUser
-
Rotation strategy: Rotation strategy: alternating users.
-
Expected
SecretString
structure: Amazon RDS and Aurora credentials. -
Dependency: Pymssql 2.2.2
Amazon DocumentDB (with MongoDB compatibility)
Amazon DocumentDB single user
-
Template name: SecretsManagerMongoDBRotationSingleUser
-
Rotation strategy: Rotation strategy: single user.
-
Expected
SecretString
structure: Amazon DocumentDB credentials. -
Dependency: Pymongo 3.2
Amazon DocumentDB alternating users
-
Template name: SecretsManagerMongoDBRotationMultiUser
-
Rotation strategy: Rotation strategy: alternating users.
-
Expected
SecretString
structure: Amazon DocumentDB credentials. -
Dependency: Pymongo 3.2
Amazon Redshift
Amazon Redshift single user
-
Template name: SecretsManagerRedshiftRotationSingleUser
-
Rotation strategy: Rotation strategy: single user.
-
Expected
SecretString
structure: Amazon Redshift credentials. -
Dependency: PyGreSQL 5.0.7
Amazon Redshift alternating users
-
Template name: SecretsManagerRedshiftRotationMultiUser
-
Rotation strategy: Rotation strategy: alternating users.
-
Expected
SecretString
structure: Amazon Redshift credentials. -
Dependency: PyGreSQL 5.0.7
Amazon Timestream for InfluxDB
To use these templates, see How Amazon Timestream for InfluxDB uses secrets in the Amazon Timestream Developer Guide.
Amazon Timestream for InfluxDB single user
-
Template name: SecretsManagerInfluxDBRotationSingleUser
-
Expected
SecretString
structure: Amazon Timestream for InfluxDB secret structure. -
Dependency: InfluxDB 2.0 python client
Amazon Timestream for InfluxDB alternating users
-
Template name: SecretsManagerInfluxDBRotationMultiUser
-
Expected
SecretString
structure: Amazon Timestream for InfluxDB secret structure. -
Dependency: InfluxDB 2.0 python client
Amazon ElastiCache
To use this template, see Automatically rotating passwords for users in the Amazon ElastiCache User Guide.
-
Template name: SecretsManagerElasticacheUserRotation
-
Expected
SecretString
structure: Amazon ElastiCache credentials.
Active Directory
Active Directory credentials
-
Template name: SecretsManagerActiveDirectoryRotationSingleUser
-
Expected
SecretString
structure: Active Directory credentials.
Active Directory keytab
-
Template name: SecretsManagerActiveDirectoryAndKeytabRotationSingleUser
-
Expected
SecretString
structure: Active Directory credentials. -
Dependencies: msktutil
Other types of secrets
Secrets Manager provides this template as a starting point for you to create a rotation function for any type of secret.
-
Template name: SecretsManagerRotationTemplate