[英]AWS Secrets Manager rotation for RDS credentials
It's my understanding that Secrets Manager can automatically rotate the password for an RDS database.我的理解是 Secrets Manager 可以自动轮换 RDS 数据库的密码。 When this occurs, is there a race condition for long running processes using the old secret?
发生这种情况时,使用旧密钥的长时间运行的进程是否存在竞争条件?
I can't find documentation describing this race condition, but I would imagine a process running right before key rotation and using the old secret wouldn't be able to hit the database until it re-fetches the newest secret.我找不到描述这种竞争条件的文档,但我可以想象在密钥轮换之前运行的进程并且使用旧的秘密将无法访问数据库,直到它重新获取最新的秘密。 Is this true?
这是真的?
According to the comments in Rotate Amazon RDS database credentials automatically with AWS Secrets Manager |根据使用 AWS Secrets Manager 自动轮换 Amazon RDS 数据库凭证 | 中的评论AWS Security Blog , on RDS and secrets rotation:
AWS 安全博客,关于 RDS 和秘密轮换:
Databases authenticate when a connection is established.
数据库在建立连接时进行身份验证。 As a result, open connections are not impacted by rotations performed by Secrets Manager.
因此,打开的连接不受 Secrets Manager 执行的轮换的影响。
So, your process for connecting to RDS should always be:因此,您连接到 RDS 的过程应该始终是:
I suppose there is a tiny window there between 1 and 2, so for reliability you might want to write this with an exception/error handler so that it can re-fetch the secrets and retry the connection one time if you see a transient authentication failure.我想在 1 和 2 之间有一个小窗口,因此为了可靠性,您可能希望使用异常/错误处理程序编写它,以便它可以重新获取机密并在您看到瞬时身份验证失败时重试连接一次.
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.