As every solution comes from a challenge or problem. Engineers love to solve problems and problem-solving requires creativity and knowledge of the tools you have available to you, very similar to an artist that want to express their art with different materials and tools that they have. So, here is the challenge/requirement solved:
Database secrets rotation can be a compliance requirement or simply to enhance the security of your environments. Rotate RDS passwords in AWS is facilitated using the Secrets Manager service. However, you may have a fully automated deployment in your infrastructure as ECS blue-green deployments and want to refresh secrets also in your application when a new secret is created.
So, it is a challenge that can be tackled using AWS Lambda functions and here is how you can do it in an efficient and secure way on AWS.
Every solution starts with an efficient and solid architecture, the language chosen was Python due to its synchronous nature and vast source of libraries as for example boto3, a very popular and well-maintained set of functions to interact with AWS services. Below you can check a High-Level Diagram of the solution with its sequential steps.
And then our lambda function handler, here you can associate the steps 1 to 6 described before. Due to the synchronous process required for this solution, we can clearly see step by step how the python script will execute safely the secret rotation.
The generate_secret function has some particulates, as PostgreSQL does not accept certain punctuations in the password, be aware when generating a new secret, here is how the current function works:
As in this scenario, the ECS service leverages SSM parameters store to build the tasks, restarting the application containers is necessary.
Don’t forget to create a Cloudwatch trigger for your Lambda function and keep in mind that it is not a zero-downtime approach, chose the cron expression wisely.
If you read until this point and want to implement this solution on your AWS environment, I do not want to take more of your time and let you know that you can refer to the Github repository below, feel free to contribute or fork it anytime!
At DNX Solutions, we work to bring a better cloud and application experience for digital-native companies in Australia.
We are always hiring cloud engineers for our Sydney office, focusing on cloud-native concepts.
Check our open-source projects at https://github.com/DNXLabs and follow us on Linkedin or Facebook.