By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

AWS managed RDS password rotation

0

Background: I have a cluster of "Aurora MySQL", with "Credentials management" set to "Managed in AWS Secrets Manager".

My service is a spring boot service, that takes the DB password via ENV vars on loading. When a rotation happens i need to restart my service to get the new pass. I have seen solutions for this via "aws-secretsmanager-jdbc". We will be developing this soon.

In the mean time i want to disable/change rotation schedule. I have looked in all the AWS docs, for example: https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/rds-secrets-manager.html I cant find the exact thing i am looking for.

The question: From my understanding i should just change the rotation schedule in the secrets manager, under "Rotation configuration". I have not found an answer to the question, can i modify this here, or is it managed by RDS and i will break some behavior? The main reason i am concerned is when i come to edit the rotation i see " Amazon RDS (rds) manages rotation for this secret, so you don't need to choose a Lambda rotation function."

TLDR: How do i stop a RDS password rotation for a prod cluster "Aurora MySQL" set to have the password "Managed in AWS Secrets Manager"? Can i change the setting in the secrets manager itself? or will that break something?

Topics
Migration & ModernizationAnalyticsDatabaseSecurity, Identity, & Compliance
Tags
Amazon Relational Database ServiceAmazon AuroraAWS Secrets Manager
Language
English
TWK87
asked a month ago654 views
1 Answer
3
Accepted Answer

To stop RDS password rotation for an Aurora MySQL cluster managed in AWS Secrets Manager, you need to adjust the rotation settings in Secrets Manager. Here's what you can do:

1.Navigate to AWS Secrets Manager in the AWS Management Console.

2.Find the secret corresponding to your Aurora MySQL cluster's credentials.

3.Select the secret and click on "Rotation configuration."

4.Disable rotation by selecting "Disable automatic rotation."

Save your changes. This should stop the automatic password rotation for your RDS instance. Disabling rotation won't break anything, but it's essential to ensure that your application's connection settings are updated accordingly. Since you're managing the password in your Spring Boot service via environment variables, you'll need to manually update the password there if it changes in the future.

Once you've implemented the manual rotation solution with "aws-secretsmanager-jdbc," you can revisit Secrets Manager to enable rotation again if needed. https://docs.aws.amazon.com/secretsmanager/latest/userguide/intro.html https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_Tagging.html https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotating-secrets.html https://docs.aws.amazon.com/secretsmanager/latest/userguide/intro.html

profile picture
kranthi putti
answered a month ago
profile picture
EXPERT
Oleksii Bebych
reviewed a month ago
profile pictureAWS
EXPERT
Didier_Durand
reviewed a month ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content