Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

AWS secrets manager, 'A previous rotation isn’t complete' when rotating secrets

Tags:

amazon-web-services

aws-secrets-manager

I've created a secret and updated it to have a lambda rotation function

My secret looks like

aws secretsmanager list-secret-version-ids --secret-id envir/username
{
    "Versions": [
        {
            "VersionId": "90179cd3-daa1-48e4-9fe5-dde0a4cf22e4",
            "VersionStages": [
                "AWSPREVIOUS"
            ],
            "LastAccessedDate": 1524528000.0,
            "CreatedDate": 1524568488.358
        },
        {
            "VersionId": "60576823-5d98-4360-af53-7e1f909b88d0",
            "VersionStages": [
                "AWSCURRENT"
            ],
            "LastAccessedDate": 1524528000.0,
            "CreatedDate": 1524568827.466
        }
    ],
    "ARN": "arn:aws:secretsmanager:eu-west-1:8282828282828:secret:username-YdgbPA",
    "Name": "envir/username"
}

and when i try to rotate it, i get this error

An error occurred (InvalidRequestException) when calling the RotateSecret operation: A previous rotation isn’t complete. That rotation will be reattempted.

I can rotate the secret without issues if i trigger the lambda function without issues.

Anyone has any ideas ?

related links:

  • https://forums.aws.amazon.com/thread.jspa?threadID=280093&tstart=0 which does not apply to me as i dont have the secret in AWSPENDING state.
like image 274
user2599522 Avatar asked Apr 24 '18 11:04

user2599522

People also ask

How does secrets Manager rotation work?

When you rotate a secret, you update the credentials in both the secret and the database or service. In Secrets Manager, you can set up automatic rotation for your secrets. Applications that retrieve the secret from Secrets Manager automatically get the new secret value after rotation.

How do I rotate secret Manager in AWS?

Open the Secrets Manager console at https://console.aws.amazon.com/secretsmanager/ . Choose your secret. On the secret details page, under Rotation configuration, choose Rotate secret immediately. In the Rotate secret dialog box, choose Rotate.

How often should secrets be rotated?

Ensure that you are rotating your secretes every 90 days. Secrets should be treated just as passwords and should have a particular rotation cycle that follows similar to your service account password policy.

What is the difference between KMS and secrets Manager?

AWS KMS returns a plaintext data key and a copy of that data key encrypted under the KMS key. Secrets Manager uses the plaintext data key and the Advanced Encryption Standard (AES) algorithm to encrypt the secret value outside of AWS KMS. It removes the plaintext key from memory as soon as possible after using it.

1 Answers

Just a note for people in future who might get the same error...

If you are using the AWS Secrets Manager to rotate an Amazon RDS password, the Secrets Manager will automatically create a Lambda function. This function requires:

  • Access to the Internet (to call the Secrets Manager) OR VPC endpoint for Secrets Manager service in subnet/subnets associated with the lambda function
  • Access to the RDS instance (to login and change the password)

As such, the following combinations work:

  • Publicly accessible database (bad for security) with a Lambda function that is not attached to a VPC, OR
  • The Lambda function in a private subnet with a NAT Gateway in the public subnet (so the Lambda function can access the Internet) OR an Elastic IP Address attached to the Lambda function's ENI

Also, the Security Group attached to the database needs to permit inbound access from the Lambda function. By default, the Lambda function is assigned the same security group as used by the database, so either:

  • Edit the database security group to permit inbound connections from itself (that is, from Lambda to the database via the same security group), OR
  • Change the security group that is used by the Lambda function to one that is currently permitted to access the database security group
like image 143
John Rotenstein Avatar answered Sep 20 '22 22:09

John Rotenstein
Sign in to Comment

Related questions

EC2 instance with a cross account IAM role
AWS S3 Generating Signed Urls ''AccessDenied''
Any way to search across all log streams in a cloud watch log group?
AWS RDS to PgAdmin Error saving properties Unable to connect to server: timeout expired [closed]
How can I (securely) download a private S3 asset onto a new EC2 instance with cloudinit?
Using Cloudfront to expose ElasticSearch REST API in read only (GET/HEAD)
AWS VPC Create Subnet in with different zone
AWS ACM wildcard ssl certificate not working on domain
Sending SMS with Amazon AWS services PHP
Are CNAMES slow?
How to list objects by extension from s3 api?
Environment specific ebextensions Beanstalk commands
AWS ECS agent won't start
Python 3 Boto 3, AWS S3: Get object URL
S3 static website index document
How to create a new docker image from a running container on Amazon?
Django - Delete file from amazon S3
AWS Lambda HTTP POST Request (Node.js)
Aws-elb health check failing at 302 code
self-reference not allowed in Security Group definition

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!