Aurora Serverless password rotation setup using CloudFormation (and Lambda rotation templates)

Related searches

AWS has Fully Configured and Ready-to-Use Rotation Support for some supported RDS engines, including Amazon Aurora (Serverless also?)

I'm trying to setup the password rotation in my CloudFormation template using AWS::SecretsManager::RotationSchedule (note that this is not a fully functional template, only an illustration):

  DBCluster:
    Type: AWS::RDS::DBCluster
    Properties:
      Engine        : aurora
      EngineMode    : serverless
      EngineVersion : 5.6.10a

  Secret:
    Type: AWS::SecretsManager::Secret
    Properties:
      GenerateSecretString:
        SecretStringTemplate: '{"username": "admin"}'
        GenerateStringKey: password
        PasswordLength: 20
        ExcludeCharacters: '"@/\'

  SecretTargetAttachment:
    Type: AWS::SecretsManager::SecretTargetAttachment
    Properties:
      SecretId: !Ref Secret
      TargetId: !Ref DBCluster
      TargetType: AWS::RDS::DBCluster

  SecretRotation:
    Type: AWS::SecretsManager::RotationSchedule
    Properties:
      SecretId: !Ref UserAdminSecret
      RotationLambdaARN: <ARN_GET_FROM_SERVERLESS_APPLICATION_REPOSITORY>
      RotationRules:
        AutomaticallyAfterDays: 1

But the AWS Lambda rotation function fails with the following message:

"Database engine must be set to 'mysql' in order to use this rotation lambda": KeyError

Looks like Aurora Serverless is not supported by the AWS Lambda rotation function provided by AWS.

Is there an easy way to setup Aurora Serverless secret rotation using existing Lambda rotation templates?

Any example available to write my own rotation function for Aurora Serverless?

PS: This question is kind of related to Creating an Aurora Serverless Cluster from cloudformation?

The RotationSchedule resource has a dependency on the SecretTargetAttachment resource. The attachment resource updates your secret-string value to contain connection information such as db engine, port and endpoint.

Unfortunately, there is no way for CloudFormation to know about this implicit dependency between the two resources. You need to put a DependsOn on the RotationSchedule resource with the attachment resource's logical id.

See the RotationSchedule resource in this example - https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-secretsmanager-rotationschedule.html#aws-resource-secretsmanager-rotationschedule--examples

Automating Secret Creation in AWS CloudFormation, AWS Secrets Manager integrates with AWS CloudFormation to enable contain the credentials of the database or service resources you create with a template. CloudFormation template to set up Aurora PostgreSQL DB cluster with master user password stored in AWS Secrets Manager and bootstrap the database using AWS Lambda. The stacks are integrated using exported output values. Using three different CloudFormation stacks instead of one nested stack gives you some flexibility.

I was able to setup secrets rotation for Aurora Serverless using AWS Fully Configured and Ready-to-Use Rotation Support: aws-secrets-manager-rotation-lambdas/SecretsManagerRDSPostgreSQLRotationSingleUser/

I was getting the same error mentioned in the Q above, I found out that in my Secrets setting the "engine": "postgres" setting was missing. After adding the setting as below it started working

{
  "username": "XXXX",
  "password": "XXXXXXXXXX",
  "engine": "postgres",
  "host": "db.cluster-XXXX.us-XXXX-X.rds.amazonaws.com",
  "port": 5432,
  "dbClusterIdentifier": "XXXXX"
}

AWS Templates You Can Use to Create Lambda Rotation Functions , use to create a Lambda rotation function for your AWS Secrets Manager secret. These templates associate with the AWS Serverless Application Repository,� I’m going to use serverless to deploy the infrastructure, but most of my examples will be pure CloudFormation so you should be able to get along if you use other tools. I’m going to use 2 kinds of cloudformation stacks. A shared stack (serverless-shared.yml) which i’m going to deploy once per AWS account. It contains the Database Server

I faced a similar error when setting the PostgreSQL parameters "password_encryption: 'scram-sha-256'"

The solution was drop entire CloudFormation stack recreate with MD5. (Updating the value did not resolve the error)

Also, if Lambdalog has timeout with no other errors, increase Lambda function timeout default 30 seconds to 60 seconds should resolve the issue.

AWS Secrets Manager: Create and Rotate secrets automatically, Or do you have a requirement to rotate database passwords within your CloudFormation template to create and configure an RDS Description: "This is an AWS Serverless Application Model template for Secret Rotation Lambda" There are many ways to automate the configuration of your app. AWS::SecretsManager::RotationSchedule — Define the Lambda function that will be used to rotate the secret. How to use Secrets Manager in CloudFormation. Now that you’re familiar with the new Secrets Manager resource types supported in CloudFormation, I’ll show how you can use these in a CloudFormation template.

Creating an Aurora Serverless Cluster from cloudformation?, Database CloudFormation Template Duration: 12:49 Posted: Jan 29, 2020 Aurora Serverless password rotation setup using CloudFormation (and Lambda� For more information about Aurora Serverless DB clusters, see Using Amazon Aurora Serverless in the Amazon Aurora User Guide. Note This example creates an Aurora MySQL Serverless DB cluster by setting Engine to aurora and EngineVersion to 5.6.10a .

Why and how to setup an AWS Aurora Serverless database ?, With the announcement of Aurora Serverless we started using this for a new So below is an example CloudFormation template how to configure the database. "t10master"}' GenerateStringKey: 'password' PasswordLength: 15 Ref SecretsManagerSecretLambda RotationLambdaARN: 'arn:aws:� The rotation function you want to use with the secret determines the exact format of the secret value that you must use in your secret For the details of what each rotation function requires for the secret value, see the Expected SecretString Value entry under the relevant rotation function at AWS Templates You Can Use to Create Lambda Rotation

Use a SSM encrypted env variable in your serverless.yml . This is a step further from the secrets-plugin, AWS Systems Manager Parameter Store allows you to get rid of the file and have only one configuration shared by many lambda/repos that can be quickly updated via AWS UI Console or AWS CLI, but it has the same drawbacks:

After a bit of work, I figured out how to combine the information from those two documents to create a complete CloudFormation based RDS secret rotation example. The AWS templates are Serverless Applications which can loaded in CloudFormation using AWS::Serverless::Application. To use them, start with the CloudFormation example given in

Comments
  • I don't know why you get a +1 this is not answering the question about Aurora Serverless
  • What you have is correct. Add this line to your RotationSchedule resource - "DependsOn: SecretTargetAttachment"
  • @YvesM. Hi I'm having a similar issue now, my db engine is also Aurora MySQL, just wondering if you have solved this issue, can you share the function template? Thanks in advance.
  • @Cecilia I haven't sold the problem yet, my password rotation is disabled. But I will investigate to craft a solution on day. Let me know if you find a ready-to-use solution
  • @YvesM.I actually found a potential solution, cracking on it at the moment, it should work if you are also using Aurora MySQL engine, we can just use the rotation function template for MySQL db, so instead of using CloudFormation, we can create a function manually (check this template github.com/aws-samples/aws-secrets-manager-rotation-lambdas/…), then tell Secretc Manager to call this function to perform rotation, Iet me do some experiment first.
  • It looks more like comment then an answer. Once you have sufficient reputation you will be able to comment on any post