Skip to content
AWS Lambda function for rotating passwords in PostgreSQL databases with credentials in Secrets Manager
Go
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
.github
.editorconfig
.gitignore
.markdownlint.yml
.travis.yml
LICENSE
README.md
go.mod
go.sum
main.go

README.md

gordsplus-rotatepasswordlambda

Build Status Go Report Card MIT

A Golang AWS Lambda function for rotating passwords in PostgreSQL databases with credentials in Secrets Manager.

Introduction

This Lambda function essentially wraps the Rotate function of github.com/cariad/gordsplus.

Environment variables

The following environment variables must be set when the function is deployed:

  • KMS_KEY is the KMS Key to use to encrypt the randomly-generated credentials.

Payload

  • clientRequestToken is a string between 32 and 64 runes containing only mixed-case alphanumerics and hyphens.
    • Make up your own random token, or import github.com/cariad/gordsplus and call gordsplus.MakeClientRequestToken() to have a token generated for you.
  • secretArn is a string describing the desired name of the Secret which will hold the credentials.

For example:

{
  "clientRequestToken": "9fKqI2ysQxz8FCFg5NNJmbByWqvpX_YF",
  "secretArn":         "arn:aws:secretsmanager:us-east-1:555000000000:secret:mycredentials-RkY225"
}

Response

This function does not return any response content, other than an error.

Permissions

The role which this Lambda function assumes will require:

  • rds:DescribeDBInstances
  • secretsmanager:GetSecretValue
  • secretsmanager:UpdateSecret

The KMS key will need to grant the following to the role:

  • kms:Decrypt
  • kms:Encrypt
  • kms:GenerateDataKey
  • kms:ReEncrypt*

Acknowledgements

This project uses the following packages:

Licence, credit & sponsorship

This project is published under the MIT Licence.

You don't owe me anything in return, but as an indie freelance coder there are two things I'd appreciate:

  • Credit. If your app or documentation has a credits page, please consider mentioning the projects you use.
  • Cash. If you want and are able to support future development, please consider becoming a patron or buying me a coffee. Thank you!
You can’t perform that action at this time.