Rotating a Secret Using a Custom Lambda Function

Question

How to write a lambda for a rotating secret (CDK in Typescript)where password changes every hour .

const templatedSecret = new secretsmanager.Secret(this, 'TemplatedSecret', {
      generateSecretString: {
        secretStringTemplate: JSON.stringify({ username: 'user' }),
        generateStringKey: 'password',
      },
    });

    new iam.User(this, 'OtherUser', {
      userName: templatedSecret.secretValueFromJson('username').toString(),
      password: templatedSecret.secretValueFromJson('password'),
    });

till now i only have this code and for reference i have https://docs.aws.amazon.com/cdk/api/latest/docs/aws-secretsmanager-readme.html#rotating-a-secret But i am confused how to proceed and complete my desired task

kgiannakakis · Accepted Answer · 2021-11-11T15:16:50.410

2

As your link states you need to add a schedule to your secret:

const fn = new lambda.Function(...);
const secret = new secretsmanager.Secret(this, 'Secret');

secret.addRotationSchedule('RotationSchedule', {
  rotationLambda: fn,
  automaticallyAfter: Duration.days(15)
});

Modify duration as needed. You also need to create a lambda function (fn) that will handle rotation. It is probably a generic secret that you need, so you should base your sample on this template.

You need to fill in the set_secret and test_secret methods. The set_secret sets the secret in your service. If it is a DB, it calls an API that updates the password of the user. If you don't need it, leave an empty application. The test_secret tests that the new secret is operational. An empty implementation will also work.

You also need to add lambda invoke permission for secrets manager. Something like this:

fn.addPermission('allowInvocation',{
  principal: new ServicePrincipal('secretsmanager.amazonaws.com')
})

In AWS Console, go to Lambda Configuration, scroll down to Resource-based policy and add the following Permission:

edited Nov 11 '21 at 15:16

answered Nov 11 '21 at 14:53

kgiannakakis

103,016
27
158
194

Your secret was created but configuring rotation has failed. Secrets Manager cannot invoke the specified Lambda function. Ensure that the function policy grants access to the principal secretsmanager.amazonaws.com.(this error is coming ) – Gulshan Nov 11 '21 at 15:05
You need to allow invocation from secretsmanager – kgiannakakis Nov 11 '21 at 15:12
And Sir i am trying it on console now ,not on cdk so while creating lambda function i am copying all the code given in SecretsManagerRotationTemplate/lambda_function.py /, but giving above error ,So please guide me what changes do i need to make to complete this task .. – Gulshan Nov 11 '21 at 15:12
Grant the permissions with CDK as stated in the answer. – gshpychka Nov 11 '21 at 16:07
arn = event['SecretId'] token = event['ClientRequestToken'] { The ClientRequestToken of the secret version} step = event['Step']{one of createSecret, setSecret, testSecret, or finishSecret} . It's asking these parameters to test the lambda function ARN can be seen in secret details only ,where to find other parameters to test the lambda . – Gulshan Nov 12 '21 at 04:42
The event is sent by secretsmanager, when invoking the function. You can try manually rotating the secret from AWS console. This will trigger the function and you can test it. – kgiannakakis Nov 12 '21 at 06:42

Rotating a Secret Using a Custom Lambda Function

1 Answers1