如何使用 AWS 秘密管理器轮换为自定义 lambda function 生成 SSH 私钥

Question

I've integrated AWS secret manager (ASM) for rotating SSH private keys. All thing works fine. I'm able to SSH on my Linux instance using the retrieved secret key value by the get-secret-value command.

Also, I've created a custom lambda function in ruby, for rotating my secret(SSK key) as below.

require 'json'
require 'aws-sdk-secretsmanager'
require 'base64'

def lambda_handler(event:, context:)

    event['SecretId'] = "my-secret-id"
    region = 'my-region'

    arn = event['SecretId']
    token = event['ClientRequestToken']
    step = event['Step']    
    
    client = Aws::SecretsManager::Client.new(region: region)
     
    
    metadata = client.describe_secret(secret_id: arn)
   
        versions = metadata[:version_ids_to_stages]        
    
        if metadata[:rotation_enabled] == false
            puts "Secret %s is not enabled for rotation" % arn
        end
        
    if step == "createSecret"
        create_secret(client, arn, token)

    elsif step == "setSecret"
        set_secret(client, arn, token)

    elsif step == "testSecret"
        test_secret(client, arn, token)

    elsif step == "finishSecret"
        finish_secret(client, arn, token)

    else
        puts "Invalid step parameter"
         create_secret(client, arn, token)
        return
    end     
    
        { statusCode: 200, body: JSON.generate('Hello from Lambda!') }
end


def create_secret(client, arn, token)
    
    client.get_secret_value(secret_id: arn, version_stage: "AWSCURRENT")
    
    begin
        client.get_secret_value(secret_id: arn, version_id: token, version_stage: "AWSPENDING")
        puts "createSecret: Successfully retrieved secret for %s." % arn
    rescue
        puts "Not found secret with label AWSPENDING"

        # Here I want to generate a new SSH key and encode it,
        # For Database passwords rotation `client.get_random_password(password_length: "desired length", exclude_characters: "ExcludeCharactersType")` option is available, but for SSH I'm unable to find the generate method
        
    end
end

If anyone has an idea about how to generate a new ssh private key inside the create_secret method then please guide me. Thanks in advance.

Answer 1

Your lambda function is implementation is incomplete and missing some of the steps described here . You need to use the generic template , written in python and adapt it for Ruby.

In create_secret you generate the key:

• If you need an EC2 key pair, see this example .
• If you need a generate public/private key pair, sample code is available here .

In set_secret you need to update the ssh key in your Linux instances. Before changing your ssh configuration, you need to test that the new key works.

In the optional test_secret step, you test, if you can use the secret to connect.

In finish_secret you label the new secret as the current one.