My AWS Lambda rotation function failed for AWS Secrets Manager with a “Database engine must be set to 'postgres'/'mysql'” error.
Short description
You might receive this error if you are using a multiuser AWS Lambda rotation function for user credentials.
Note: This error applies only to two database types for Amazon Relational Database Service (Amazon RDS) which are Amazon Aurora PostgreSQL-Compatible Edition and Amazon Aurora MySQL-Compatible Edition.
The error occurs in the setSecret step of the Lambda rotation function for the Amazon RDS database credentials.
Resolution
Edit the Lambda rotation function if you made changes to the function code, or create a new rotation if you didn't make changes.
Option 1: Edit the rotation function code
-
Open the Lambda console.
-
In the navigation pane, choose Functions, and then choose the Lambda function name.
-
Choose the Actions dropdown list, choose Export function, and then choose Download deployment package.
-
Extract the files from the downloaded .zip file.
-
In your Visual Studio Code IDE, open the lambda_function.py file.
-
In the get_secret_dict() helper function, replace if secret_dict['engine'] != 'mysql': with the following code:
supported_engines = ["mysql", "aurora-mysql"]
if secret_dict['engine'] not in supported_engines:
-
Zip the contents of the .zip folder with the updated lambda_function.py file.
-
In the Lambda console, on the Code tab, choose the Upload from dropdown list, choose .zip file, and then choose the new .zip folder from step 7.
Option 2: Create a new rotation function
- Open the Secrets Manager console.
- On the Secrets page, choose your secret name.
- On the Secret details page, in the Rotation configuration section, choose Edit rotation.
- In the Edit rotation configuration dialog box, follow the instructions in step 3e. to configure the secret for rotation.
- For Use separate credentials to rotate this secret, choose Yes.
- In Secrets, choose the secret for the Amazon RDS or Amazon Aurora primary database credentials.
- Choose Save.
- (Optional) If the previous Lambda rotation function is attached to multiple secrets, you can use the new function for those secrets.
For each secret, open the Secret details page, and then in the Rotation configuration section, choose Edit rotation. In the Edit rotation configuration dialog box, for Lambda rotation function, choose the new rotation function, and then choose Save.
- After you switch all secrets to the new Lambda rotation function, in the Lambda console, delete the previous rotation Lambda function.
Related information
How do I create a rotation function with an AWS Secrets Manager secret for an unsupported database?
Improve security of Amazon RDS primary database credentials using AWS Secrets Manager