0

First of al I have followed many medium articles, aws documentation before coming here to stack overflow and could not clear up my doubt. I have been trying to understand the key rotation of secrets manager and I have an understanding how it would work with a AWS supported service such as RDS database. My caveat is understanding when it comes to storing an other secret. Let's say that I am trying to store the mongodb password in secrets manager, would it be possible for me to rotate the key in this scenario. According to my understanding, I won't since whenever you change the secret, you wont be able to login to the mongodb through your application even if you use a custom lambda function to rotate them. Only workaround is that you need to manually go to the mongodb and change the password to the new rotated password. May be I am not getting it correctly, could somebody please help me to get rid of this confusion. Thank you in advance.

hEShaN
  • 551
  • 1
  • 9
  • 27
  • If you question about automation/rotation of password replication from secret manager to Aws RDS, then please refer [this](https://stackoverflow.com/a/54882294/14843902). To change password also in the application side which is connecting to same aws RDS db instance, then that needs to handled by some automation which will change application configuration file with db password or have a logic with application code using AWS sdk to read latest value from aws secret manager – amitd Jan 20 '21 at 19:16
  • @amitd lets take the hypothetical example of mongodb hosted in local machine. In that case you could not ever rotate the keys unless you have some automatic way that could handle the password update that could be triggered for example from a lambda. right? – hEShaN Jan 20 '21 at 19:22
  • 1
    Correct. Automated key rotation involves triggering an AWS Lambda function. That Lambda function would be responsible for connecting to the existing system (using the existing password) and also for changing the password to the new secret. In your example of a local machine with no accessible API, the Lambda function would be unable to change the password. It would need to be done manually. – John Rotenstein Jan 20 '21 at 22:32

0 Answers0