Al usar AWS re:Post, aceptas las AWS re:Post Términos de uso
AWS re:Postre:Post

Resource permissions needed for automatic password rotation with RDS and secrets-manager

0

I'm using the new auto-rotation for RDS that doesn't require a lambda - https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotate-secrets_turn-on-for-db.html

The problem I'm facing is whenever I add a resource permission policy to my secret, the rotation stops working. I've tried giving the cluster complete access in the resource policy. I've also tried giving everyone rotate access but neither works. I can only get it to work if the resource permission policy is blank but obviously that's not acceptable.

Temas
Base de datosSeguridad, identidad y cumplimiento
Etiquetas
Aurora PostgreSQLAWS Secrets Manager
Idioma
English
JeffH72
preguntada hace 9 meses307 visualizaciones
1 Respuesta
0

Can you clarify this please as the link says.

Secrets Manager uses Lambda functions to rotate secrets.

To rotate a secret, Secrets Manager calls a Lambda function according to the schedule you set up. You can set a schedule to rotate after a period of time, for example every 30 days, or you can create a cron expression. See Schedule expressions. If you also manually update your secret value while automatic rotation is set up, then Secrets Manager considers that a valid rotation when it calculates the next rotation date.

For security, Secrets Manager only permits a Lambda rotation function to rotate the secret directly. The rotation function can't call a second Lambda function to rotate the secret.

profile picture
EXPERTO
Gary Mclean
respondido hace 9 meses

No has iniciado sesión. Iniciar sesión para publicar una respuesta.

Una buena respuesta responde claramente a la pregunta, proporciona comentarios constructivos y fomenta el crecimiento profesional en la persona que hace la pregunta.

Pautas para responder preguntas

Contenido relevante