New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Updates to DB password via SecretManager does not work #7518
Comments
Thanks for filing this issue. I was able to reproduce this. This is a weird one - I can confirm that the only thing that changes in the CloudFormation template between the two changes is the value of However before that, the dbname, host and dbengine should not even be present in the secret generated in the first place. The
@jogold / @skinny85 - anything either of you know of that I missed? |
The dbname, host and dbengine come from the
Conceptually a aws-cdk/packages/@aws-cdk/aws-secretsmanager/lib/secret.ts Lines 388 to 391 in 9f35104
This allows to I think the following happens here: when you udpate the I haven't tried to reproduce it yet but does the |
Thanks for the explanation @jogold. @mjslane - can you add the following piece of code to the code snippet in your reproduction steps. This should replace the const secretAttachment = dbSecret.node.tryFindChild('Attachment') as SecretTargetAttachment;
const cfnAttachment = secretAttachment.node.defaultChild as CfnSecretTargetAttachment;
cfnAttachment.overrideLogicalId('AttachmentLogicalId'); However, I suspect @jogold is right and this may not actually change the Database password. Could you try this out and confirm if it works, and actually changes the Database password as you would expect? |
We tried this, but in our stack the the secret ref is exported so other stacks can use it so we're getting an error on deleting the export.
We also managed to trigger a similar change when adding a new security group to connect to the RDS instance using the instance.connections.allowFrom(securityGroup, port) method. It didn't change the password but did delete everything other than the password and username. |
As an update, when we added the security group rule the password for the database wasn't changed but the password value in the secret was changed. This meant that new instances of our services couldn't connect to the database as the credentials in secret manager were wrong. |
@skinny85 and I had a discussion around this yesterday. I believe the correct solution here is that whenever a change occurs to the Mutating the Mutating the All of this still is likely to work but still needs verification. |
@nija-at @skinny85 how about overriding the logical id of the const resource = new secretsmanager.CfnSecret(this, 'Resource', {
description: props.description,
kmsKeyId: props.encryptionKey && props.encryptionKey.keyArn,
generateSecretString: props.generateSecretString || {},
name: this.physicalName,
});
const logicalId = crypto.createHash('sha256')
.update(JSON.stringify(props.generateSecretString))
.digest('hex');
resource.overrideLogicalId(logicalId); |
Also if you're using secret rotation (the one from the CDK) it doesn't make sense to override excluded characters because the secret rotation application has its own hard coded set of excluded characters: |
Yes, this is exactly how we thought to approach it :) |
Hmmm... in that case, I wonder whether we should have some validation for that case? Because the fact that this property will be ignored might catch people off guard... |
It's currently not possible from the code to use the "managed" rotation if the secret was not created inside the L2 and in this case it's a
Since secret rotation is optional, I was suggesting to mutate the secret itself. This will for sure update the password in the DB (via CF). But with the fact that the secret is created inside the L2, I'm actually not sure anymore: either the user chooses for a "managed" experience (secret and secret rotation) or he must pass a |
This issue has not received any attention in 1 year. If you want to keep this issue open, please leave a comment below and auto-close will be canceled. |
When RDS is first set up using secret manager a secret is created with the following format
If a change is made to the CDK that causes the password to be regenerated the password is updated but dbname, host, port and engine is removed from the secret. If services rely on this information being there it breaks the service.
Reproduction Steps
Check the secret generated.
Update the excluded characters by adding or removing some.
Redeploy
Check the secret again.
Environment
This is 🐛 Bug Report
The text was updated successfully, but these errors were encountered: