Comments (6)
markussiebert
commented on August 18, 2024
1
Need this to! Would implement this, but need to know where the template resides
from aws-secrets-manager-rotation-lambdas.
joebaro
commented on August 18, 2024
Thank you for your feedback. We have noted this as a feature request.
from aws-secrets-manager-rotation-lambdas.
ArielPrevu3D
commented on August 18, 2024
Any plans on making this happen? Currently, the rotation applications are only useful if you want to give developers all access to the AWS account, which is often not possible.
from aws-secrets-manager-rotation-lambdas.
Saberos
commented on August 18, 2024
Are the SAM templates available anywhere to provide PRs on?
from aws-secrets-manager-rotation-lambdas.
asifma
commented on August 18, 2024
Can you please apply Globals.Function.PermissionsBoundary to the SAM Template that gets created. This is supported by SAM. You can use this template as reference: https://github.com/aws-samples/cloudfront-authorization-at-edge/blob/master/template.yaml
I would have create a PR, but cant find the yaml template available anywhere in this repo
from aws-secrets-manager-rotation-lambdas.
asifma
commented on August 18, 2024
Below is a proposed template for: SecretsManagerRDSPostgreSQLRotationSingleUser — version 1.1.384
AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Parameters:
endpoint:
Type: String
Description: The Secrets Manager endpoint to use.
functionName:
Type: String
Description: The name of the Lambda function.
invokingServicePrincipal:
Type: String
Description: The service principal for the invoking service.
Default: secretsmanager.amazonaws.com
vpcSubnetIds:
Type: CommaDelimitedList
Description: A comma-separated list of VPC subnet IDs applied to the database
network.
Default: ''
vpcSecurityGroupIds:
Type: CommaDelimitedList
Description: A comma-separated list of security group IDs applied to the database.
Default: ''
kmsKeyArn:
Type: String
Description: The ARN of the KMS key that Secrets Manager uses to encrypt the secret.
Default: ''
excludeCharacters:
Type: String
Description: A string of the characters that you don't want in the password.
Default: :/@"'\
runtime:
Type: String
Description: The python runtime associated with the Lambda function
Default: python3.9
PermissionsBoundaryPolicyArn:
Description: ARN of a boundary policy if your organisation uses some for roles, optional.
Type: String
Default: ""
Conditions:
AddVpcConfig:
Fn::And:
- Fn::Not:
- Fn::Equals:
- ''
- Fn::Join:
- ''
- Ref: vpcSubnetIds
- Fn::Not:
- Fn::Equals:
- ''
- Fn::Join:
- ''
- Ref: vpcSecurityGroupIds
KmsKeyArnExists:
Fn::Not:
- Fn::Equals:
- ''
- Ref: kmsKeyArn
ApplyPermissionsBoundary:
!Not [!Equals [!Ref PermissionsBoundaryPolicyArn, ""]]
Resources:
SecretsManagerRDSPostgreSQLRotationSingleUser:
Type: AWS::Serverless::Function
Properties:
FunctionName:
Ref: functionName
Description: Rotates a Secrets Manager secret for Amazon RDS PostgreSQL credentials
using the single user rotation strategy.
Handler: lambda_function.lambda_handler
Runtime:
Ref: runtime
CodeUri:
Bucket: <%REPO_BUCKET%>
Key: 8494558e-a7c7-479b-b855-6a42fa99ba3f
AutoPublishCodeSha256: b6db215a045dfe41d9838f1236af55b0de0d491d7d03b67d78ebde754eeadaae
Timeout: 30
PermissionsBoundary: !If
- ApplyPermissionsBoundary
- !Ref PermissionsBoundaryPolicyArn
- !Ref AWS::NoValue
Policies:
- VPCAccessPolicy: {}
- AWSSecretsManagerRotationPolicy:
FunctionName:
Ref: functionName
- Fn::If:
- KmsKeyArnExists
- Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- kms:Decrypt
- kms:DescribeKey
- kms:GenerateDataKey
Resource:
Ref: kmsKeyArn
- Ref: AWS::NoValue
Environment:
Variables:
SECRETS_MANAGER_ENDPOINT:
Ref: endpoint
EXCLUDE_CHARACTERS:
Ref: excludeCharacters
VpcConfig:
Fn::If:
- AddVpcConfig
- SubnetIds:
Ref: vpcSubnetIds
SecurityGroupIds:
Ref: vpcSecurityGroupIds
- Ref: AWS::NoValue
Tags:
SecretsManagerLambda: Rotation
LambdaPermission:
Type: AWS::Lambda::Permission
Properties:
Action: lambda:InvokeFunction
FunctionName:
Fn::GetAtt:
- SecretsManagerRDSPostgreSQLRotationSingleUser
- Arn
Principal:
Ref: invokingServicePrincipal
SourceAccount:
Ref: AWS::AccountId
Outputs:
RotationLambdaARN:
Description: The ARN of the rotation lambda
Value:
Fn::GetAtt:
- SecretsManagerRDSPostgreSQLRotationSingleUser
- Arn
from aws-secrets-manager-rotation-lambdas.
Related Issues (20)
- Feature Request: Redshift Serverless Namespace admin user rotation HOT 2
- MySQL MultiUser lambda cannot rotate users with host different than default '%' HOT 3
- PostgreSQL SingleUser rotation, isn't working with RDS-Proxy HOT 1
- SecretsManagerRDSPostgreSQLRotationMultiUser doesn't support RDS Aurora Postgres HOT 1
- MultiUser rotations are incompatible with RDS Proxy HOT 12
- MySQL MultiUser Increase Username limit from 16 to 32 HOT 5
- secrets-manager automatic rotation for aws msk HOT 1
- SecretsManagerRDSMySQLRotationSingleUser error when require SSL HOT 4
- Name of IAM role not returned from AWS::SecretsManager::RotationSchedule HOT 1
- Aurora-mysql rotation fix HOT 1
- Update images to latest version of Python HOT 4
- Updating python enginefrom 3.7 to 3.11 Runtime.ImportModuleError HOT 3
- cx_Oracle has a major new release under a new name python-oracledb HOT 2
- MySQL and PostgreSQL support for aurora is inconsistent. HOT 2
- Secrets rotation fails for Oracle RDS with SSL or NNE HOT 4
- SqlServer rotation not respecting EXCLUDE_CHARACTERS HOT 6
- Cloud Formation Rotation type is missing for Elasticache Rotation Lambda HOT 1
- Getting cryptography' package is required while rotating secrets manager rds password HOT 5
- Include requirements.txt for each folder HOT 2
- SecretsManagerRDSMySQLRotationMultiUser through CloudFormation: KeyError 'masterarn' HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from aws-secrets-manager-rotation-lambdas.