AWS机密管理器,旋转机密时“先前的轮换未完成" [英] AWS secrets manager, 'A previous rotation isn’t complete' when rotating secrets
问题描述
我创建了一个秘密并将其更新为具有lambda旋转功能
I've created a secret and updated it to have a lambda rotation function
我的秘密看起来像
aws secretsmanager list-secret-version-ids --secret-id envir/username
{
"Versions": [
{
"VersionId": "90179cd3-daa1-48e4-9fe5-dde0a4cf22e4",
"VersionStages": [
"AWSPREVIOUS"
],
"LastAccessedDate": 1524528000.0,
"CreatedDate": 1524568488.358
},
{
"VersionId": "60576823-5d98-4360-af53-7e1f909b88d0",
"VersionStages": [
"AWSCURRENT"
],
"LastAccessedDate": 1524528000.0,
"CreatedDate": 1524568827.466
}
],
"ARN": "arn:aws:secretsmanager:eu-west-1:8282828282828:secret:username-YdgbPA",
"Name": "envir/username"
}
当我尝试旋转它时,出现此错误
and when i try to rotate it, i get this error
An error occurred (InvalidRequestException) when calling the RotateSecret operation: A previous rotation isn’t complete. That rotation will be reattempted.
如果我触发没有问题的lambda函数,我可以毫无问题地旋转秘密.
I can rotate the secret without issues if i trigger the lambda function without issues.
有人有什么主意吗?
相关链接:
- https://forums.aws.amazon.com/thread.jspa?threadID = 280093& tstart = 0 不适用于我,因为我没有处于
AWSPENDING状态的秘密.
- https://forums.aws.amazon.com/thread.jspa?threadID=280093&tstart=0 which does not apply to me as i dont have the secret in
AWSPENDINGstate.
推荐答案
只是为将来可能会遇到相同错误的人提供的说明...
Just a note for people in future who might get the same error...
如果您使用AWS Secrets Manager旋转Amazon RDS密码,则Secrets Manager将自动创建Lambda函数.此功能要求:
If you are using the AWS Secrets Manager to rotate an Amazon RDS password, the Secrets Manager will automatically create a Lambda function. This function requires:
- 访问 Internet (以调用Secrets Manager)或 VPC端点以获取与lambda功能关联的一个或多个子网中的Secrets Manager服务
- 访问 RDS实例(登录并更改密码)
- Access to the Internet (to call the Secrets Manager) OR VPC endpoint for Secrets Manager service in subnet/subnets associated with the lambda function
- Access to the RDS instance (to login and change the password)
因此,以下组合有效:
- 具有Lambda函数且未附加到VPC OR 的Lambda函数的可公开访问的数据库(对安全性不利)
- 私有子网中的Lambda函数,而公共子网中有NAT网关(因此Lambda函数可以访问Internet) OR 附加到Lambda函数的ENI的弹性IP地址
- Publicly accessible database (bad for security) with a Lambda function that is not attached to a VPC, OR
- The Lambda function in a private subnet with a NAT Gateway in the public subnet (so the Lambda function can access the Internet) OR an Elastic IP Address attached to the Lambda function's ENI
此外,附加到数据库的安全组需要允许通过Lambda函数进行入站访问.默认情况下,为Lambda函数分配与数据库使用的安全组相同的安全组,因此可以:
Also, the Security Group attached to the database needs to permit inbound access from the Lambda function. By default, the Lambda function is assigned the same security group as used by the database, so either:
- 编辑数据库安全组以允许本身(即,通过同一安全组从Lambda到数据库)的入站连接, OR
- 将Lambda函数使用的安全组更改为当前允许访问数据库安全组的安全组
- Edit the database security group to permit inbound connections from itself (that is, from Lambda to the database via the same security group), OR
- Change the security group that is used by the Lambda function to one that is currently permitted to access the database security group
这篇关于AWS机密管理器,旋转机密时“先前的轮换未完成"的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
