Skip to content
AWS Lambda function for rotating passwords in PostgreSQL databases with credentials in Secrets Manager
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.


Build Status Go Report Card MIT

A Golang AWS Lambda function for rotating passwords in PostgreSQL databases with credentials in Secrets Manager.


This Lambda function essentially wraps the Rotate function of

Environment variables

The following environment variables must be set when the function is deployed:

  • KMS_KEY is the KMS Key to use to encrypt the randomly-generated credentials.


  • clientRequestToken is a string between 32 and 64 runes containing only mixed-case alphanumerics and hyphens.
    • Make up your own random token, or import and call gordsplus.MakeClientRequestToken() to have a token generated for you.
  • secretArn is a string describing the desired name of the Secret which will hold the credentials.

For example:

  "clientRequestToken": "9fKqI2ysQxz8FCFg5NNJmbByWqvpX_YF",
  "secretArn":         "arn:aws:secretsmanager:us-east-1:555000000000:secret:mycredentials-RkY225"


This function does not return any response content, other than an error.


The role which this Lambda function assumes will require:

  • rds:DescribeDBInstances
  • secretsmanager:GetSecretValue
  • secretsmanager:UpdateSecret

The KMS key will need to grant the following to the role:

  • kms:Decrypt
  • kms:Encrypt
  • kms:GenerateDataKey
  • kms:ReEncrypt*


This project uses the following packages:

Licence, credit & sponsorship

This project is published under the MIT Licence.

You don't owe me anything in return, but as an indie freelance coder there are two things I'd appreciate:

  • Credit. If your app or documentation has a credits page, please consider mentioning the projects you use.
  • Cash. If you want and are able to support future development, please consider becoming a patron or buying me a coffee. Thank you!
You can’t perform that action at this time.