Set up alternating users rotation for AWS Secrets Manager - AWS Secrets Manager

Set up alternating users rotation for AWS Secrets Manager

In this tutorial, you learn how to set up alternating users rotation for a secret that contains database credentials. Alternating users rotation is a rotation strategy where Secrets Manager clones the user and then alternates which user's credentials are updated. This strategy is a good choice if you need high availability for your secret, because one of the alternating users has current credentials to RDS while the other one is being updated. For more information, see Rotation strategies.

To set up alternating users rotation, you need two secrets:

  • One secret with the credentials that you want to rotate.

  • A second secret that has credentials for an administrator or superuser who has permissions to both change the first users's password and clone the first user.


For the tutorial prerequisites, you need administrative permissions to your AWS account. In a production setting, it is a best practice to use different roles for each of the steps. For example, a role with database admin permissions would create the Amazon RDS database, and a role with network admin permissions would set up the VPC and security groups. For the tutorial steps, we recommend you continue using the same identity.

For information about how to set up permissions in a production environment, see Authentication and access control for AWS Secrets Manager.


The prerequisite for this tutorial is Set up single user rotation for AWS Secrets Manager. Don't clean up the resources at the end of the first tutorial. After that tutorial, you have a realistic environment with an Amazon RDS database and a Secrets Manager secret. The secret contains admin credentials for the database, and it is set up to rotate every 10 days.

You also have a connection configured in MySQL Workbench to connect to the database with the admin credentials.

Step 1: Create an Amazon RDS database user

First, you need a user whose credentials will be stored in the secret.

To create a database user

  1. In MySQL Workbench, choose the connection SecretsManagerTutorial.

  2. In the Query window, enter the following commands (including a strong password) and then choose Execute.


    In the Output window, you see the commands are successful.

Step 2: Create a secret for the user credentials

Next, you create a secret to store the credentials of the user you just created. This is the secret you'll be rotating. You turn on automatic rotation, and to indicate the alternating users strategy, you choose a separate superuser secret that has permission to change the first user's password.

  1. Open the Secrets Manager console at

  2. Choose Store a new secret.

  3. On the Choose secret type page, do the following:

    1. For Secret type, choose Credentials for Amazon RDS database.

    2. For Credentials, enter the username newuser and the password you entered for the database user you created using MySQL Workbench.

    3. For Database, choose secretsmanagertutorialdb.

  4. On the Configure secret page, for Secret name, enter SecretsManagerTutorialAppuser and then choose Next.

  5. On the Configure rotation page, do the following:

    1. Turn on Automatic rotation.

    2. For Rotation schedule, set a schedule of Days: 2 Days with Duration: 2h. Keep Rotate immediately selected.

    3. For Rotation function, choose Create a rotation function, and then for the function name, enter tutorial-alternating-users-rotation.

    4. For Use separate credentials, choose Yes, and then under Secrets, choose SecretsManagerTutorialAdmin-a1b2c3d4e5f6.

    5. Choose Next.

  6. On the Review page, choose Store.

    Secrets Manager returns to the the secret details page. At the top of the page, you can see the rotation configuration status.

    Secrets Manager uses CloudFormation to create resources such as the Lambda rotation function and an execution role that runs the Lambda function. When CloudFormation finishes, the banner changes to Secret scheduled for rotation. The first rotation is complete.

Step 3: Test the rotated secret

Now that the secret is rotated, you can check that the secret still contains valid credentials. The password in the secret has changed from the original credentials.

To retrieve the new password from the secret

  1. Open the Secrets Manager console at

  2. Choose Secrets, and then choose the secret SecretsManagerTutorialAppuser.

  3. On the Secret details page, scroll down and choose Retrieve secret value.

  4. In the Key/value table, copy the Secret value for password.

To test the credentials

  1. In MySQL Workbench, right-click the connection SecretsManagerTutorial and then choose Edit Connection.

  2. In the Manage Server Connections dialog box, for Username, enter appuser, and then choose Close.

  3. Back in MySQL Workbench, choose the connection SecretsManagerTutorial.

  4. In the Open SSH Connection dialog box, for Password, paste the password you retrieved from the secret, and then choose OK.

    If the credentials are valid, then MySQL Workbench opens to the design page for the database.

This shows that the secret rotation is successful. The credentials in the secret have been updated and it is a valid password to connect to the database.

Step 4: Clean up resources

To avoid potential charges, and to remove the EC2 instance that has access to the internet, delete the following resources you created in this tutorial and its prerequisites:

Next steps