堆栈内存溢出
  简体   繁体   English

RDS 凭证的 AWS Secrets Manager 轮换

[英]AWS Secrets Manager rotation for RDS credentials

 原文  2020-03-16 14:25:29       amazon-web-services/ amazon-rds/ aws-kms

问题描述

It's my understanding that Secrets Manager can automatically rotate the password for an RDS database.我的理解是 Secrets Manager 可以自动轮换 RDS 数据库的密码。 When this occurs, is there a race condition for long running processes using the old secret?发生这种情况时,使用旧密钥的长时间运行的进程是否存在竞争条件?

I can't find documentation describing this race condition, but I would imagine a process running right before key rotation and using the old secret wouldn't be able to hit the database until it re-fetches the newest secret.我找不到描述这种竞争条件的文档,但我可以想象在密钥轮换之前运行的进程并且使用旧的秘密将无法访问数据库,直到它重新获取最新的秘密。 Is this true?这是真的?

1 个解决方案

解决方案1
 2  2020-03-16 20:09:49

According to the comments in Rotate Amazon RDS database credentials automatically with AWS Secrets Manager |根据使用 AWS Secrets Manager 自动轮换 Amazon RDS 数据库凭证 | 中的评论AWS Security Blog , on RDS and secrets rotation: AWS 安全博客,关于 RDS 和秘密轮换:

Databases authenticate when a connection is established.数据库在建立连接时进行身份验证。 As a result, open connections are not impacted by rotations performed by Secrets Manager.因此,打开的连接不受 Secrets Manager 执行的轮换的影响。

So, your process for connecting to RDS should always be:因此,您连接到 RDS 的过程应该始终是:

  1. get secrets from Secret Manager从 Secret Manager 获取机密
  2. create DB connection创建数据库连接

I suppose there is a tiny window there between 1 and 2, so for reliability you might want to write this with an exception/error handler so that it can re-fetch the secrets and retry the connection one time if you see a transient authentication failure.我想在 1 和 2 之间有一个小窗口,因此为了可靠性,您可能希望使用异常/错误处理程序编写它,以便它可以重新获取机密并在您看到瞬时身份验证失败时重试连接一次.

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 在 AWS Glue Python 脚本中从 Secrets Manager 检索 RDS 凭证 - Retrieve RDS credentials from Secrets Manager in AWS Glue Python Script 如何在AWS Secrets Manager服务中管理AWS RDS的主用户凭证(由cloudformation创建)? - How to manage master user credentials of aws RDS (created by cloudformation) in aws secrets manager service? 使用 AWS Secrets Manager 连接到 AWS RDS - Connect to AWS RDS using AWS Secrets Manager 使用 AWS Secrets Manager 管理 RDS 访问 - Manage RDS access with AWS Secrets Manager 我想使用 python 通过 aws 秘密管理器从 aws lambda 函数中检索 postgresql rds 数据库凭据 - i want to retrieve postgresql rds database credentials from aws lambda function through aws secrets manager using python 对 aws rds 数据库使用 aws 凭证管理器 - using aws credentials manager for aws rds database AWS Secret Manager 轮换 Lambda 在数据库秘密轮换时超时 - AWS Secret Manager Rotation Lambda is timing out on a DB secrets rotation AWS Secrets Manager从哪里获得AWS凭证? - Where does AWS Secrets Manager get AWS Credentials? 使用 aws-secretsmanager-jdbc 从 AWS 机密管理器读取 RDS 机密时出现异常 - Exception while reading RDS secrets from AWS secrets manager using aws-secretsmanager-jdbc 如何使用 Terraform 禁用 AWS Secrets Manager 的自动秘密轮换? - How to disable automatic secret rotation of AWS Secrets Manager using Terraform?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM