Lambda rotation functions
In Rotation by Lambda function, a Lambda function does the work of rotating the secret. Secrets Manager uses staging labels to label secret versions during rotation.
If Secrets Manager doesn't provide a rotation function template for your type of secret, you can create a rotation function. When writing a rotation function, follow the guidance for each step.
Tips for writing your own rotation function
-
Use the generic rotation template as a starting point to write your own rotation function.
-
As you write your function, be cautious about including debugging or logging statements. These statements can cause information in your function to be written to Amazon CloudWatch, so you need to make sure the log doesn't include any sensitive information collected during development.
For examples of log statements, see the AWS Secrets Manager rotation function templates source code.
-
For security, Secrets Manager only permits a Lambda rotation function to rotate the secret directly. The rotation function can't call a second Lambda function to rotate the secret.
-
For debugging suggestions, see Testing and debugging serverless applications.
-
If you use external binaries and libraries, for example to connect to a resource, you must manage patching them and keeping them up-to-date.
-
Save your rotation function in a ZIP file
my-function.zip
along with any required dependencies.
Four steps in a rotation function
Topics
create_secret
: Create a new version of the secret
The method create_secret
first checks if a secret exists by calling get_secret_value
ClientRequestToken
. If there's no secret, it creates a new secret with create_secret
VersionId
. Then it generates a new secret value with get_random_password
put_secret_value
. Storing the new secret value in AWSPENDING
helps ensure idempotency. If rotation fails for any reason, you can refer to that secret value in subsequent calls. See How do I make my Lambda function idempotentAWSPENDING
Tips for writing your own rotation function
Ensure the new secret value only includes characters that are valid for the database or service. Exclude characters by using the
ExcludeCharacters
parameter.As you test your function, use the AWS CLI to see version stages: call
describe-secret
and look atVersionIdsToStages
.-
For Amazon RDS MySQL, in alternating users rotation, Secrets Manager creates a cloned user with a name no longer than 16 characters. You can modify the rotation function to allow longer usernames. MySQL version 5.7 and higher supports usernames up to 32 characters, however Secrets Manager appends "_clone" (six characters) to the end of the username, so you must keep the username to a maximum of 26 characters.
set_secret
: Change the credentials in the database or service
The method set_secret
changes the credential in the database or service to match the new secret value in the AWSPENDING
version of the secret.
Tips for writing your own rotation function
-
If you pass statements to a service that interprets statements, like a database, use query parameterization. For more information, see Query Parameterization Cheat Sheet
on the OWASP web site. -
The rotation function is a privileged deputy that has the authorization to access and modify customer credentials in both the Secrets Manager secret and the target resource. To prevent a potential confused deputy attack, you need to make sure that an attacker cannot use the function to access other resources. Before you update the credential:
Check that the credential in the
AWSCURRENT
version of the secret is valid. If theAWSCURRENT
credential isn't valid, abandon the rotation attempt.Check that the
AWSCURRENT
andAWSPENDING
secret values are for the same resource. For a username and password, check that theAWSCURRENT
andAWSPENDING
usernames are the same.Check that the destination service resource is the same. For a database, check that the
AWSCURRENT
andAWSPENDING
host names are the same.
-
In rare cases, you might want to customize an existing rotation function for a database. For example, with alternating users rotation, Secrets Manager creates the cloned user by copying the runtime configuration parameters
of the first user. If you want to include more attributes, or change which ones are granted to the cloned user, you need to update the code in the set_secret
function.
test_secret
: Test the new secret version
Next, the Lambda rotation function tests the AWSPENDING
version of the secret by using it to access the database or service. Rotation functions based on Rotation function
templates test the new secret by using read access.
finish_secret
: Finish the rotation
Finally, the Lambda rotation function moves the label AWSCURRENT
from the previous secret version to this version, which also removes the AWSPENDING
label in the same API call. Secrets Manager adds the AWSPREVIOUS
staging label to the previous version, so that you retain the last known good version of the secret.
The method finish_secret
uses update_secret_version_stage
AWSCURRENT
from the previous secret version to the new secret version. Secrets Manager automatically adds the AWSPREVIOUS
staging label to the previous version, so that you retain the last known good version of the secret.
Tips for writing your own rotation function
Don't remove
AWSPENDING
before this point, and don't remove it by using a a separate API call, because that can indicate to Secrets Manager that the rotation did not complete successfully. Secrets Manager adds theAWSPREVIOUS
staging label to the previous version, so that you retain the last known good version of the secret.
When rotation is successful, the AWSPENDING
staging label might be attached to the same version as the AWSCURRENT
version, or it might not be attached to any version. If the AWSPENDING
staging label is present but not attached to the same version as AWSCURRENT
, then any later invocation of rotation assumes that a previous rotation request is still in progress and returns an error. When rotation is unsuccessful, the AWSPENDING
staging label might be attached to an empty secret version. For more information, see Troubleshoot rotation.