Search code examples
pythonaws-lambdaaws-secrets-manager

How to automate secret generation/rotation in aws?


I am creating a secrets manager resource via terraform (sample code below), I looked up a few examples and understand that I can hook this resource up with a lambda for key rotation, which will generate a random secret and store it. Is there already inbuild lambda/code to do this in aws? Also, when lambda does the rotation, does it immediately expire the old key or can we set the time such that it only expires after a certain number of days. I assume the timeline can be set via lambda or terraform. Some examples would be helpful.

resource "aws_secretsmanager_secret" "example" {
  name = "example"
}

Solution

  • Use another resource AWS::SecretsManager::RotationSchedule for setting the rotation schedule settings.

    MySecretRotationSchedule:
      Type: AWS::SecretsManager::RotationSchedule
      DependsOn: MyRotationLambda 
      Properties:
        SecretId: !Ref MySecret
        RotationLambdaARN: !GetAtt MyRotationLambda.Arn
        RotationRules:
          Duration: 2h
          ScheduleExpression: 'cron(0 1 * * ? *)'