6

I found this rotation function template, I'm going to modify this template to create my own rotation function and tell Secrets Manager to use it perform the rotation.

My question is which part in the template should I change, it's not very clear in the template, such as line 47-49, should I replace SecretIdwith my Secret ARN?

arn = event['SecretId']
token = event['ClientRequestToken']
step = event['Step']

Another example: line 57 

endpoint_url=os.environ['SECRETS_MANAGER_ENDPOINT']

What value should I use for 'SECRETS_MANAGER_ENDPOINT', maybe 'https://secretsmanager.region.amazonaws.com'??

In addition, line 205-206 

This is where the lambda will validate the user's permissions. 
Uncomment/modify the below lines to
# tailor these validations to your needs

What exactly I need to add in this part to grant the Secrets Manager permission to call this function?

A bit confused,I've been messing around with the whole credential rotation almost a whole day, any suggestions will be appreciated.

wawawa
  • 2,835
  • 6
  • 44
  • 105

2 Answers2

8

You don't need to make any changes to the logic of loading the event or the environmental variables.

Think of this way. When rotation occurs, secrets manager will invoke your lambda. That invocation has an event associated with it, which contains the rotation step, SecretId of the secret to be rotated, ClientRequestToken, etc

You don't need to modify that logic.

With regards to the lambda you need to set an environment variable for the secrets manager endpoint - https://docs.aws.amazon.com/lambda/latest/dg//go-programming-model-env-variables.html

committedandroider
  • 8,711
  • 14
  • 71
  • 126
  • 2
    Hey thank you for the answer, the 'environment variable' you mentioned, where can I set it in Secret Manager console? I couldn't find it... – wawawa Jan 30 '20 at 09:18
  • 1
    Oh I just realized, do you mean in line 52, change it to ```endpoint_url=os.environ['https://secretsmanager.us-east-1.amazonaws.com']``` ? (I found the region in part of the ARN) – wawawa Jan 30 '20 at 09:31
  • @Cecilia set it an environment variable to use for the lambda – committedandroider Jan 30 '20 at 22:38
  • 1
    @Cecilia To set environment variables in the lambda console - https://docs.aws.amazon.com/lambda/latest/dg/configuration-envvars.html – committedandroider Jan 30 '20 at 22:39
  • Thanks, I've sorted the env variable, now it gave me new error about my Lambda execution role, but this question is done, thank you. – wawawa Jan 31 '20 at 10:46
  • I found error in cloudwatch logs and I created a new question for that, it took me a whole morning but still no clue what's going on, would be great if you can have a look, this is the link: https://stackoverflow.com/questions/60002949/question-about-lambda-execution-role-when-configuring-credential-rotation-for-se – wawawa Jan 31 '20 at 13:12
3

As @committedandroider said, you do not need to modify the 47-49 because that is passed to the Lambda call by the Secrets Manager rotation engine and line 57 is set as an evironment variable to the Lambda function when you create the function (and yes you should set it to https://secretsmanager.REGION.amazonaws.com).

The Secrets Manager rotation engine will call the lambda four times with a different step value (createSecret, setSecret, testSecret, and finishSecret) each time. The lines 205-206 are part of the testSecret step and are meant to test the new database credentials by establishing a connection to the DB (using the new creds) and running a simple query. The comment is telling you that you can add more checks in there if you like (e.g. doing a select from a table you really care about).

To give Secrets Manager permissions to run the Lambda you must add permissions to the Lambda function granting the service principal secretsmanager.amazonaws.com lambda:InvokeFunction permissions. For example:

aws --region REGION lambda add-permission --function-name LAMBDANAME --statement-id "Rotation" --action "lambda:InvokeFunction" --principal secretsmanager.amazonaws.com

Where REGION is the AWS region you are using and LAMBDANAME is the name you gave the lambda.

JoeB
  • 1,503
  • 7
  • 9
  • Thanks for the answer, the command you mentioned before is for granting the permission, but you didn't mention how to use it, I'm very new to AWS, should I add it in the template or something else? – wawawa Jan 30 '20 at 09:21
  • Sorry for multiple comments, I noticed in AWS documents, for unsupported databases, we use this command to add permission (ref: https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotating-secrets-create-generic-template.html) I'm just wondering if I still need to use this for mySQL database since I'm using the template for MySQL instead of the generic template for unsupported databases. – wawawa Jan 30 '20 at 11:03
  • I've created the function and executed the command, everything seems fine now, just wondering if there a way to test it? I tried to enable the rotation by using existing function in Secrets Manager but I couldn't find this function, am I missing something? – wawawa Jan 30 '20 at 13:40
  • If you are new to AWS, I suggest you setup rotation through the Secrets Manager console. This will create the lambda, env variable, policies, and set all the permissions you need. The only think you will have to watch out for is to make sure your lambda can connect to your DB. If you have problems, you can go to the Lambda console, click on the rotation function, and then view the logs for the lambda. They should show you what is failing. – JoeB Jan 30 '20 at 22:45