I have created a "other type of secret". I have also added a lambda function as give in this template. Now when I try to rotate immediately its saying "Fail to rotate the secret "TEST_SECRET_ROTATING" A previous rotation isn't complete. That rotation will be reattempted." The rotation time is one day, even next day I see secrete is not updated. I simply added that lambda function. Do I need to define any parameter or any other lambda settings. I also see in documentation that If you enable automatic rotation, the first rotation will happen immediately when you store this secret. But I don`t see this rotation even first time. I also followed this question here. I was able to find version id of AWSPENDING stage, I delete this version ID> click on rotate secret immediately > I see "Secret successfully scheduled for rotation" > but secret us not changed yet, Is there any issue with lambda code now?
Asked
Active
Viewed 1,809 times
0
-
Does this answer your question? [AWS secrets manager, 'A previous rotation isn’t complete' when rotating secrets](https://stackoverflow.com/questions/50000797/aws-secrets-manager-a-previous-rotation-isn-t-complete-when-rotating-secrets) – JD D Sep 29 '20 at 04:01
-
Is the function attached to a VPC? – John Rotenstein Sep 29 '20 at 04:34
-
@JohnRotenstein Lambda funcntion was not in VPC, So as per your answer I added same in a Private subnet which has nat gateway, Also added security group. As this is not RDS secrets, So not sure any security group settings need to be updated. Still facing same issue – Jaishree Mishra Sep 29 '20 at 08:45
-
@JDD that article looks fine , but I tried all the answers, Good news is that I am able to get "rotation successfully scheduled message" after deleting AWSPENDING version id. But I don`t see secret changed in UI. – Jaishree Mishra Sep 29 '20 at 09:01
-
@JohnRotenstein good news is I am able to find version ID of AWSPENDING stage from command, aws secretsmanager list-secrets. I delete this version ID> click on rotate secret immediately > I see "rotation successful" > but secret us not changed yet, Is there any issue with lambda code now? – Jaishree Mishra Sep 29 '20 at 09:03
1 Answers
0
The answer given in other question is good but there were couple of changes I have to do, The code template didnt say that we need to create a VPC endpoint for secret manager "SECRETS_MANAGER_ENDPOINT", We need to give KMS key permission to lambda role, We need to add VPC in lambda function as told by John, I also had to comment "raise NotImplementedError" in both set_secret, test_secret and give pass.
Jaishree Mishra
- 545
- 2
- 5
- 24
-
It only needs to be added to a VPC if it needs to access resources in the VPC (eg when rotating a secret with RDS, it needs to be in the same VPC as RDS). But, if you're just rotating a secret without updating something in a VPC, then it should _not_ be connected to a VPC. – John Rotenstein Sep 29 '20 at 12:09