Resource permissions needed for automatic password rotation with RDS and secrets-manager

Question

I'm using the new auto-rotation for RDS that doesn't require a lambda - https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotate-secrets_turn-on-for-db.html

The problem I'm facing is whenever I add a resource permission policy to my secret, the rotation stops working.  I've tried giving the cluster complete access in the resource policy.  I've also tried giving everyone rotate access but neither works.  I can only get it to work if the resource permission policy is blank but obviously that's not acceptable.

Answer

Can you clarify this please as the link says.

Secrets Manager uses Lambda functions to rotate secrets.

To rotate a secret, Secrets Manager calls a Lambda function according to the schedule you set up. You can set a schedule to rotate after a period of time, for example every 30 days, or you can create a cron expression. See Schedule expressions. If you also manually update your secret value while automatic rotation is set up, then Secrets Manager considers that a valid rotation when it calculates the next rotation date.

For security, Secrets Manager only permits a Lambda rotation function to rotate the secret directly. The rotation function can't call a second Lambda function to rotate the secret.

Resource permissions needed for automatic password rotation with RDS and secrets-manager

관련 콘텐츠