Secrets Manager rotation function templates

To create a Lambda rotation function with any of the following templates, we recommend you use the procedures in Automatically rotate an Amazon RDS, Amazon DocumentDB, or Amazon Redshift secret or Automatically rotate another type of secret. Secrets Manager includes the required dependencies when you turn on rotation, unless you create your Lambda rotation function by hand. The templates support Python 3.7.

Secrets Manager provides the following rotation function templates:

Contents

• Amazon RDS databases
  • Amazon RDS MariaDB single user
  • Amazon RDS MariaDB alternating users
  • Amazon RDS MySQL single user
  • Amazon RDS MySQL alternating users
  • Amazon RDS Oracle single user
  • Amazon RDS Oracle alternating users
  • Amazon RDS PostgreSQL single user
  • Amazon RDS PostgreSQL alternating users
  • Amazon RDS Microsoft SQLServer single user
  • Amazon RDS Microsoft SQLServer alternating users
• Amazon DocumentDB databases
  • Amazon DocumentDB MongoDB single user
  • Amazon DocumentDB MongoDB alternating users
• Amazon Redshift
  • Amazon Redshift single user
  • Amazon Redshift primary user
• Other types of secrets
  • Generic rotation function template

Amazon RDS databases

Amazon RDS MariaDB single user

• Name: SecretsManagerRDSMariaDBRotationSingleUser

• Supported database/service: MariaDB database hosted on an Amazon Relational Database Service (Amazon RDS) database instance.

• Rotation strategy: Single user rotation strategy.

• Expected SecretString structure:

  {
    "engine": "mariadb",
    "host": "<required: instance host name/resolvable DNS name>",
    "username": "<required: username>",
    "password": "<required: password>",
    "dbname": "<optional: database name. If not specified, defaults to None>",
    "port": "<optional: TCP port number. If not specified, defaults to 3306>"
  }

• Source code

Amazon RDS MariaDB alternating users

• Name: SecretsManagerRDSMariaDBRotationMultiUser

• Supported database/service: MariaDB database hosted on an Amazon RDS database instance.

• Rotation strategy: Alternating users rotation strategy.

• Expected SecretString structure:

  {
    "engine": "mariadb",
    "host": "<required: instance host name/resolvable DNS name>",
    "username": "<required: username>",
    "password": "<required: password>",
    "dbname": "<optional: database name. If not specified, defaults to None>",
    "port": "<optional: TCP port number. If not specified, defaults to 3306>",
    "masterarn": "<required: the ARN of the elevated secret used to create 2nd user and change passwords>"
  }

• Source code

Amazon RDS MySQL single user

• Name: SecretsManagerRDSMySQLRotationSingleUser

• Supported database/service: MySQL database hosted on an Amazon Relational Database Service (Amazon RDS) database instance.

• Rotation strategy: Single user rotation strategy.

• Expected SecretString structure:

  {
    "engine": "mysql",
    "host": "<required: instance host name/resolvable DNS name>",
    "username": "<required: username>",
    "password": "<required: password>",
    "dbname": "<optional: database name. If not specified, defaults to None>",
    "port": "<optional: TCP port number. If not specified, defaults to 3306>"
  }

• Source code

Amazon RDS MySQL alternating users

• Name: SecretsManagerRDSMySQLRotationMultiUser

• Supported database/service: MySQL database hosted on an Amazon RDS database instance.

• Rotation strategy: Alternating users rotation strategy.

• Expected SecretString structure:

  {
    "engine": "mysql",
    "host": "<required: instance host name/resolvable DNS name>",
    "username": "<required: username>",
    "password": "<required: password>",
    "dbname": "<optional: database name. If not specified, defaults to None>",
    "port": "<optional: TCP port number. If not specified, defaults to 3306>",
    "masterarn": "<required: the ARN of the elevated secret used to create 2nd user and change passwords>"
  }

• Source code

Amazon RDS Oracle single user

• Name: SecretsManagerRDSOracleRotationSingleUser

• Supported database/service: Oracle database hosted on an Amazon Relational Database Service (Amazon RDS) database instance.

• Rotation strategy: Single user rotation strategy.

• Expected SecretString structure:

  {
    "engine": "oracle",
    "host": "<required: instance host name/resolvable DNS name>",
    "username": "<required: username>",
    "password": "<required: password>",
    "dbname": "<required: database name>",
    "port": "<optional: TCP port number. If not specified, defaults to 1521>"
  }

• Source code

Amazon RDS Oracle alternating users

• Name: SecretsManagerRDSOracleRotationMultiUser

• Supported database/service: Oracle database hosted on an Amazon RDS database instance.

• Rotation strategy: Alternating users rotation strategy.

• Expected SecretString structure:

  {
    "engine": "oracle",
    "host": "<required: instance host name/resolvable DNS name>",
    "username": "<required: username>",
    "password": "<required: password>",
    "dbname": "<required: database name>",
    "port": "<optional: TCP port number. If not specified, defaults to 1521>",
    "masterarn": "<required: the ARN of the elevated secret used to create 2nd user and change passwords>"
  }

• Source code

Amazon RDS PostgreSQL single user

• Name: SecretsManagerRDSPostgreSQLRotationSingleUser

• Supported database/service: PostgreSQL database hosted on an Amazon RDS database instance.

• Rotation strategy: Single user rotation strategy.

• Expected SecretString structure:

  {
    "engine": "postgres",
    "host": "<required: instance host name/resolvable DNS name>",
    "username": "<required: username>",
    "password": "<required: password>",
    "dbname": "<optional: database name. If not specified, defaults to 'postgres'>",
    "port": "<optional: TCP port number. If not specified, defaults to 5432>"
  }

• Source code

Amazon RDS PostgreSQL alternating users

• Name: SecretsManagerRDSPostgreSQLRotationMultiUser

• Supported database/service: PostgreSQL database hosted on an Amazon RDS database instance.

• Rotation strategy: Alternating users rotation strategy.

• Expected SecretString structure:

  {
    "engine": "postgres",
    "host": "<required: instance host name/resolvable DNS name>",
    "username": "<required: username>",
    "password": "<required: password>",
    "dbname": "<optional: database name. If not specified, defaults to 'postgres'>",
    "port": "<optional: TCP port number. If not specified, defaults to 5432>",
    "masterarn": "<required: the ARN of the elevated secret used to create 2nd user and change passwords>"
  }

• Source code

Amazon RDS Microsoft SQLServer single user

• Name: SecretsManagerRDSSQLServerRotationSingleUser

• Supported database/service: Microsoft SQLServer database hosted on an Amazon RDS database instance.

• Rotation strategy: Single user rotation strategy.

• Expected SecretString structure:

  {
    "engine": "sqlserver",
    "host": "<required: instance host name/resolvable DNS name>",
    "username": "<required: username>",
    "password": "<required: password>",
    "dbname": "<optional: database name. If not specified, defaults to 'master'>",
    "port": "<optional: TCP port number. If not specified, defaults to 1433>"
  }

• Source code

Amazon RDS Microsoft SQLServer alternating users

• Name: SecretsManagerRDSSQLServerRotationMultiUser

• Supported database/service: Microsoft SQLServer database hosted on an Amazon RDS database instance.

• Rotation strategy: Alternating users rotation strategy.

• Expected SecretString structure:

  {
    "engine": "sqlserver",
    "host": "<required: instance host name/resolvable DNS name>",
    "username": "<required: username>",
    "password": "<required: password>",
    "dbname": "<optional: database name. If not specified, defaults to 'master'>",
    "port": "<optional: TCP port number. If not specified, defaults to 1433>",
    "masterarn": "<required: the ARN of the elevated secret used to create 2nd user and change passwords>"
  }

• Source code

Amazon DocumentDB databases

Amazon DocumentDB MongoDB single user

• Name: SecretsManagerMongoDBRotationSingleUser

• Supported database/service: MongoDB database version 3.2 or 3.4.

• Rotation strategy: Single user rotation strategy.

• Expected SecretString structure:

  {
    "engine": "mongo",
    "host": "<required: instance host name/resolvable DNS name>",
    "username": "<required: username>",
    "password": "<required: password>",
    "dbname": "<optional: database name. If not specified, defaults to None>",
    "port": "<optional: TCP port number. If not specified, defaults to 27017>"
  }

• Source code: Source code

Amazon DocumentDB MongoDB alternating users

• Name: SecretsManagerMongoDBRotationMultiUser

• Supported database or service: MongoDB database version 3.2 or 3.4.

• Rotation strategy: Alternating users rotation strategy.

• Expected SecretString structure:

  {
    "engine": "mongo",
    "host": "<required: instance host name/resolvable DNS name>",
    "username": "<required: username>",
    "password": "<required: password>",
    "dbname": "<optional: database name. If not specified, defaults to None>",
    "port": "<optional: TCP port number. If not specified, defaults to 27017>",
    "masterarn": "<required: the ARN of the elevated secret used to create 2nd user and change passwords>"
  }

• Source code

Amazon Redshift

Amazon Redshift single user

arn:aws:serverlessrepo:us-east-1:123456789012:applications/SecretsManagerRDSMySQLRotationSingleUser

• Name: SecretsManagerRedshiftRotationSingleUser

• Supported database/service: Amazon Redshift

• Rotation strategy: Single user rotation strategy.

• Expected SecretString structure:

  {
    "engine": "redshift",
    "host": "<required: instance host name/resolvable DNS name>",
    "username": "<required: username>",
    "password": "<required: password>",
    "dbname": "<optional: database name. If not specified, defaults to None>",
    "port": "<optional: TCP port number. If not specified, defaults to 5439>"
  }

• Source code

Amazon Redshift primary user

• Name: SecretsManagerRedshiftRotationMultiUser

• Supported database/service: Amazon Redshift

• Rotation strategy: Alternating users rotation strategy.

• Expected SecretString structure:

  {
    "engine": "redshift",
    "host": "<required: instance host name/resolvable DNS name",
    "username": "<required: username>",
    "password": "<required: password>",
    "dbname": "<optional: database name. If not specified, defaults to None",
    "port": "<optional: TCP port number. If not specified, defaults to 5439",
    "masterarn": "<required: the elevated secret ARN used to create 2nd user and change passwords"
  }

• Source code

Other types of secrets

Generic rotation function template

• Name: SecretsManagerRotationTemplate

• Supported database/service: None. You supply the code to interact with whatever service you want.

• Rotation strategy: You can use this template to implement your own strategy. See Automatically rotate another type of secret.

• Expected SecretString structure: You define this.

• Source code: Source code