Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

(RDS): Rotation applications are very old and insecure

See original GitHub issue

What is the problem?

I deployed a MySQL RDS instance in isolated subnets and added a lambda to rotate the database credentials using the addRotationMultiUser method. The Lambda function is provision correctly, but fails when it call the set_secret method. Connecting to the database fails with the following error:

[ERROR] ModuleNotFoundError: No module named 'asn1crypto' Traceback (most recent call last): File "/var/task/lambda_function.py", line 78, in lambda_handler

The dependency could be missing or the issue could be caused by a version update. Lock the version using a requirements.txt file when installing the dependencies. pip install -r requirements.txt

Reproduction Steps

rds-stack.txt

What did you expect to happen?

Create the “Secrets Manager RDS MySQL Handler” Lambda and rotate the database credentials successfully without throwing errors.

What actually happened?

[ERROR] ModuleNotFoundError: No module named ‘asn1crypto’ Traceback (most recent call last): File “/var/task/lambda_function.py”, line 78, in lambda_handler

CDK CLI Version

1.137.0

Framework Version

No response

Node.js Version

14.15.5

OS

macOS Big Sur Version 11.6.2

Language

Typescript

Language Version

3.9.7

Other information

No response

Issue Analytics

State:
Created 2 years ago
Reactions:3
Comments:17 (10 by maintainers)

Top GitHub Comments

1reaction

sukrithandacommented, Mar 8, 2022

Any updates on cdk using the most recent rotation lambda? Would be great if it could use the lambda that supports SSL https://aws.amazon.com/about-aws/whats-new/2021/12/aws-secrets-manager-enables-ssl-connections-rotating-database/

1reaction

iurquizacommented, Jan 10, 2022

I believe updating the sarMapping addressed the original issue, but the function is still failing to connect to the database. I need more time to test and verify that the issue has been resolved. This change packages the Lambda handler and its dependencies differently making it difficult to trace the error; the source code for the rotation function is no hosted locally. I will post an update a soon as I have more information.

Top Results From Across the Web

Rotate Amazon RDS database credentials automatically ...

Rotate secrets safely. You can configure Secrets Manager to rotate secrets automatically without disrupting your applications. Secrets Manager ...

Database Static Roles and Credential Rotation | Vault

But now, consider a classic use case where multiple applications use shared, static user accounts and periodically rotate the password (e.g. every 90...

AWS Secrets Manager vs Parameter Store

Maybe we were developing web applications in old school ASP or any other ... Manager provides full key rotation integration with Amazon RDS....

Rotate Your Amazon RDS, Aurora, and DocumentDB Certs

3. Not all clients support a certificate chain, so the RDS team already has to maintain a bundle of the regional intermediates. Making...

Provision an RDS Instance using the AWS CDK and Secrets

Our next step will be to get the VPC default security group. The database should be in a security group so that we...