5

If secrets are rotated while a connection to RDS is currently open, will that connection still be able to query the database, or will it become inactive?

foobarbaz
  • 508
  • 1
  • 10
  • 27

3 Answers3

8

Most databases, including all the DBs in RDS, will not close out sessions/connections when you change a password (e.g. see this answer for oracle). Terminating sessions requires explicit terminate commands.

If you are using Java and a connection pool manager you can use the AWS provided JDBC wrapper to automatically pickup the latest password when your connections need to be re-established.

I can test this by:

  • Spinning up a MySQL RDS instance
  • Storing the master password in Secrets Manager
  • Setting up single user rotation via the console
  • Connect to the DB with the MySQL CLI
  • Verify the connection with a query
  • Keep the connection open by starting a subshell from the CLI
  • Dump the current password
  • Kick off an async rotation and wait a bit
  • Verify rotation by dummping the new password
  • Go back to the existing MySQL connection in the CLI by exiting the subshell
  • Run another query

    $ mysql -h testdb -Dmysql -u root -p$(aws --region us-east-2 secretsmanager get-secret-value --secret-id testdb-root --query SecretString --output text | jq -r '.password')
       ...
    mysql> select user from user;
    +-----------+
    | user      |
    +-----------+
    | root      |
    | mysql.sys |
    | rdsadmin  |
    +-----------+
    3 rows in set (0.05 sec)

    mysql> \! bash
    $ # Show current password
    $ aws --region us-east-2 secretsmanager get-secret-value --secret-id testdb-root --query SecretString --output text | jq -r '.password'
    3%c70'-e9s<Dy5ecX-(0mV%&E6Y[<jnJ
    $ aws --region us-east-2 secretsmanager rotate-secret --secret-id testdb-root
       ...
    $ sleep 60 # Give rotation time to complete
    $ aws --region us-east-2 secretsmanager get-secret-value --secret-id testdb-root --query SecretString --output text | jq -r '.password'
    .z,B{,P]jE~pr3?0mZ5H,6rJi;aXrQVO
    $ exit
    mysql> select user from user;
    +-----------+
    | user      |
    +-----------+
    | root      |
    | mysql.sys |
    | rdsadmin  |
    +-----------+
    3 rows in set (0.05 sec)
JoeB
  • 1,503
  • 7
  • 9
  • After running a test, @myron-semack 's answer was correct, the connection was cut off when the password was rotated. – foobarbaz Jan 09 '19 at 15:17
  • Which RDS database type did you use for this? Also were you using the standard rotation Lambdas setup by the Secrets Manager console? – JoeB Jan 10 '19 at 00:18
  • I edited my answer. I do not get the same results when I test this with a MySQL RDS instance. – JoeB Jan 10 '19 at 02:31
  • we used a postgres RDS instance with the standard rotation, however, we were not using the JDBC wrapper. This is most likely the direction we will go with this now though, thanks for the info! – foobarbaz Jan 10 '19 at 16:04
  • 1
    I re-ran the above test with an RDS postgres 10.4 instance substituting `psql -h testdb... -U root -d postgres` for the CLI and `SELECT datname FROM pg_database;` for the query. Again I do not see the connection getting reset/closed. Is it possible you have [idle_in_transaction_session_timeout](https://stackoverflow.com/questions/13236160/is-there-a-timeout-for-idle-postgresql-connections) set or you code is somehow closing connections between commits? – JoeB Jan 10 '19 at 19:22
7

If you rotate the password for a user account, users will be unable to initiate new connections to the database until they fetch the new password. Existing connection will continue to work.

A common strategy is to have two user accounts (user1 and user2) and rotate their passwords on a staggered schedule. The credentials for user1 will still work while the clients detect user2 and start using it. Note for this to be effective the clients will have to check for updated credentials periodically.

https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotating-secrets-two-users.html

sdgfsdh
  • 33,689
  • 26
  • 132
  • 245
myron-semack
  • 6,259
  • 1
  • 26
  • 38
  • 6
    I believe this answer is mis-phrased. It is true that after rotation any subsequent connection requests will need to pick up the new password. However, existing connections will not be automatically closed by the DB (see below). – JoeB Jan 14 '19 at 18:11
1

From the Secret Manager documentation:

Secrets Manager can automatically rotate your secret for you on a specified schedule. You can rotate credentials without interrupting the service if you choose to store a complete set of credentials for a user or account, instead of only the password. If you change or rotate only the password, then the old password immediately becomes obsolete, and clients must immediately start using the new password or fail. If you can instead create a new user with a new password, or at least alternate between two users, then the old user and password can continue to operate side by side with the new one, until you choose to deprecate the old one. This gives you a window of time when all of your clients can continue to work while you test and validate the new credentials. After your new credentials pass testing, you commit all of your clients to using the new credentials and remove the old credentials.

Dherik
  • 17,757
  • 11
  • 115
  • 164
  • That is about establishing new connections. The OP asked about the existing connection, and the existing connection is not dropped by the DB. – JoeB Apr 17 '20 at 19:56