Secrets Manager

Secrets Manager uses a Lambda function to rotate the secret for a secured service or database. Event-driven and synchronous invocation

Request

Request structure

{
  "Step" : "request.type",
  "SecretId" : "string",
  "ClientRequestToken" : "string"
}

Request fields

Step (String)

One of createSecret, setSecret, testSecret or finishSecret

• createSecret - The first step of rotation is to create a new version of the secret. Depending on your rotation strategy, the new version can contain a new password, a new username and password, or more secret information. Secrets Manager labels the new version with the staging label AWSPENDING.
• setSecret - Second step, rotation changes the credentials in the database or service to match the new credentials in the AWSPENDING version of the secret.
• testSecret - Third step, rotation tests the AWSPENDING version of the secret by using it to access the database or service.
• finishSecret - Final step, rotation moves the label AWSCURRENT from the previous secret version to this version. Secrets Manager adds the AWSPREVIOUS staging label to the previous version, so that you retain the last known good version of the secret.

SecretId (String)

The secret ARN or other identifier

ClientRequestToken (String)

The ClientRequestToken of the secret version

Example createSecret event

{
  "ClientRequestToken": "51f72378-6a5d-5dc7-8fd8-29e4319f482a",
  "SecretId": "arn:aws:secretsmanager:us-east-2:111122223333:secret:DatabaseSecret",
  "Step": "createSecret"
}

Response

N/A

Resources

• Typescript - SecretsManagerRotationEvent - NPM @types/aws-lambda
• Java - SecretsManagerRotationEvent
• Python - Secrets Manager rotation function templates

Documentation

• Using AWS Lambda with Secrets Manager
• How log rotation works
• Customize a Lambda rotation function for Secrets Manager