AWS announces AWS Interconnect – multicloud (preview), providing simple, resilient, high-speed private connections to other cloud service providers. AWS Interconnect - multicloud is easy to configure and provides high-speed, resilient connectivity with dedicated bandwidth, enabling customers to interconnect AWS networking services such as AWS Transit Gateway, AWS Cloud WAN, and Amazon VPC to other cloud service providers with ease.
How do I create a rotation function with a Secrets Manager secret for an unsupported database?
I want to create an AWS Lambda function for an AWS Secrets Manager secret. My database or service doesn't support automatic rotation function.
Resolution
Prerequisite: Install and configure the AWS Command Line Interface (AWS CLI).
Note: If you receive errors when you run AWS CLI commands, then see Troubleshooting errors for the AWS CLI. Also, make sure that you're using the most recent AWS CLI version.
Create the code for the Lambda rotation function
For instructions, see Set up automatic rotation for non-database AWS Secrets Manager secrets.
Create an AWS CloudFormation change set based on the generic rotation function template
- Run the create-cloud-formation-change-set AWS CLI command.
- Replace --stack-name with the name of the CloudFormation stack.
- Replace --parameter-overrides with the Secrets Manager Regional endpoints for your AWS Region and the name of the Lambda rotation function that the template creates.
Example of the create-cloud-formation-change-set AWS CLI command:
aws serverlessrepo create-cloud-formation-change-set --application-id arn:aws:serverlessrepo:us-east-1:297356227824:applications/SecretsManagerRotationTemplate --stack-name MyLambdaCreationStack --parameter-overrides Name=endpoint,Value=https://secretsmanager.REGION.amazonaws.com Name=functionName,Value=MySecretsManagerRotationFunction --capabilities CAPABILITY_IAM CAPABILITY_RESOURCE_POLICY
Note: Make sure to use the ARN of arn:aws:serverlessrepo:us-east-1:297356227824:applications/SecretsManagerRotationTemplate exactly as shown.
Use the CloudFormation change set to update a stack
The create-cloud-formation-change-set command returns the ApplicationId, ChangeSetId, SemanticVersion, and StackId values.
Complete the following steps:
- Replace change-set-name with the ChangeSetId value when you run the execute-change-set command.
- Run the execute-change-set AWS CLI command:
aws cloudformation execute-change-set --change-set-name arn:aws:cloudformation:region:123456789012:changeSet/EXAMPLE1-90ab-cdef-fedc-ba987EXAMPLE/EXAMPLE2-90ab-cdef-fedc-ba987EXAMPLE
The CloudFormation stack creates the Lambda function and an AWS Identity and Access Management (IAM) role. The IAM role has the required permissions for the Lambda function.
Verify the Lambda function creation
Run the list-functions AWS CLI command:
aws lambda list-functions Output { ... "FunctionName": "MySecretsManagerRotationFunction", ... "FunctionArn": "arn:aws:lambda:region:123456789012:function:MySecretsManagerRotationFunction", ... }
Note: The FunctionName value matches the function name that you specified in the --parameter-overrides option.
Configure Lambda function access to an Amazon Virtual Private Cloud
If your database or service is in an Amazon Virtual Private Cloud (Amazon VPC), then run the update-function-configuration command to configure the Lambda rotation function to run in the Amazon VPC. Be sure to provide the VPC subnet IDs and security group IDs. For more information, see Giving Lambda functions access to resources in an Amazon VPC.
Note: If your database or service isn't in an Amazon VPC, then skip this step.
Example of the update-function-configuration AWS CLI command:
$ aws lambda update-function-configuration --function-name your-lambda-function \ --vpc-config SubnetIds=subnet-076c28105d486f3bd,subnet-0af00c796ccdc725f,SecurityGroupIds=sg-0aed64f81acc4c037
Create an Amazon VPC endpoint for Secrets Manager
If the Amazon VPC with your database or service and Lambda rotation function doesn't have internet access, then create an Amazon VPC endpoint. Configure a private service endpoint in your Amazon VPC to access Secrets Manager and turn on the rotation function at an endpoint within the VPC. Run the create-vpc-endpoint AWS CLI command.
Note: If your database or service isn't in an Amazon VPC, then skip this step.
$ aws ec2 create-vpc-endpoint --vpc-id vpc-0abb11f5a28a8abe7 --vpc-endpoint-type Interface \ --service-name com.amazonaws.your-region.secretsmanager --subnet-ids subnet-076c28105d486f3bd subnet-0af00c796ccdc725f \ --security-group-ids sg-0bacf4bbed67e4df5
Set up network connectivity between the Lambda function and database or service
Confirm that the Lambda function can route to your database or service over the required network ports. The ports and routing requirements vary based on the database or service, and its associated VPC configuration.
Note: If your database or service isn't in an Amazon VPC, then skip this step.
Customize the rotation function for your use case
The rotation template implements the createSecret and finishSecret steps for you. You must modify the Lambda function to implement the setSecret and testSecret steps for your use case and database. For more information, see Four steps in a rotation function.
Turn on rotation for your secret
Specify the number of days between rotations with the --rotation-rules and AutomaticallyAfterDays parameters.
aws secretsmanager rotate-secret --secret-id production/MyAwesomeAppSecret --rotation-lambda-arn arn:aws:lambda:region:123456789012:function:MySecretsManagerRotationFunction --rotation-rules AutomaticallyAfterDays=7
For more information, see Rotate AWS Secrets Manager secrets.
Related information
AWS Secrets Manager rotation function templates
How to connect to AWS Secrets Manager service within a Virtual Private Cloud
- Language
- English
Relevant content
- AWS OFFICIALUpdated a year ago
