(RDS): Rotation applications are very old and insecure
See original GitHub issueWhat is the problem?
I deployed a MySQL RDS instance in isolated subnets and added a lambda to rotate the database credentials using the addRotationMultiUser
method. The Lambda function is provision correctly, but fails when it call the set_secret
method. Connecting to the database fails with the following error:
[ERROR] ModuleNotFoundError: No module named 'asn1crypto' Traceback (most recent call last): File "/var/task/lambda_function.py", line 78, in lambda_handler
The dependency could be missing or the issue could be caused by a version update. Lock the version using a requirements.txt file when installing the dependencies.
pip install -r requirements.txt
Reproduction Steps
What did you expect to happen?
Create the “Secrets Manager RDS MySQL Handler” Lambda and rotate the database credentials successfully without throwing errors.
What actually happened?
[ERROR] ModuleNotFoundError: No module named ‘asn1crypto’ Traceback (most recent call last): File “/var/task/lambda_function.py”, line 78, in lambda_handler
CDK CLI Version
1.137.0
Framework Version
No response
Node.js Version
14.15.5
OS
macOS Big Sur Version 11.6.2
Language
Typescript
Language Version
3.9.7
Other information
No response
Issue Analytics
- State:
- Created 2 years ago
- Reactions:3
- Comments:17 (10 by maintainers)
Top GitHub Comments
Any updates on cdk using the most recent rotation lambda? Would be great if it could use the lambda that supports SSL https://aws.amazon.com/about-aws/whats-new/2021/12/aws-secrets-manager-enables-ssl-connections-rotating-database/
I believe updating the
sarMapping
addressed the original issue, but the function is still failing to connect to the database. I need more time to test and verify that the issue has been resolved. This change packages the Lambda handler and its dependencies differently making it difficult to trace the error; the source code for the rotation function is no hosted locally. I will post an update a soon as I have more information.