AWS secrets manager, 'A previous rotation isn’t complete' when rotating secrets

前端 未结 5 610
有刺的猬
有刺的猬 2021-02-05 19:01

I\'ve created a secret and updated it to have a lambda rotation function

My secret looks like

aws secretsmanager list-secret-version-ids --secret-id envi         


        
5条回答
  •  时光说笑
    2021-02-05 19:59

    Just a note for people in future who might get the same error...

    If you are using the AWS Secrets Manager to rotate an Amazon RDS password, the Secrets Manager will automatically create a Lambda function. This function requires:

    • Access to the Internet (to call the Secrets Manager) OR VPC endpoint for Secrets Manager service in subnet/subnets associated with the lambda function
    • Access to the RDS instance (to login and change the password)

    As such, the following combinations work:

    • Publicly accessible database (bad for security) with a Lambda function that is not attached to a VPC, OR
    • The Lambda function in a private subnet with a NAT Gateway in the public subnet (so the Lambda function can access the Internet) OR an Elastic IP Address attached to the Lambda function's ENI

    Also, the Security Group attached to the database needs to permit inbound access from the Lambda function. By default, the Lambda function is assigned the same security group as used by the database, so either:

    • Edit the database security group to permit inbound connections from itself (that is, from Lambda to the database via the same security group), OR
    • Change the security group that is used by the Lambda function to one that is currently permitted to access the database security group

提交回复
热议问题