AWS Secrets Manager rotation for RDS credentials
Question
It's my understanding that Secrets Manager can automatically rotate the password for an RDS database. When this occurs, is there a race condition for long running processes using the old secret?
I can't find documentation describing this race condition, but I would imagine a process running right before key rotation and using the old secret wouldn't be able to hit the database until it re-fetches the newest secret. Is this true?
1 answers
solution1
2 2020-03-16 20:09:49
According to the comments in Rotate Amazon RDS database credentials automatically with AWS Secrets Manager |AWS Security Blog , on RDS and secrets rotation:
Databases authenticate when a connection is established. As a result, open connections are not impacted by rotations performed by Secrets Manager.
So, your process for connecting to RDS should always be:
- get secrets from Secret Manager
- create DB connection
I suppose there is a tiny window there between 1 and 2, so for reliability you might want to write this with an exception/error handler so that it can re-fetch the secrets and retry the connection one time if you see a transient authentication failure.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.