I already have a secret created by cloudformation template with the following key/value format:
JavaScript
x
10
10
1
UserPassword:2
Type: AWS::SecretsManager::Secret3
Properties:4
Name: mysecret5
GenerateSecretString:6
SecretStringTemplate: '{"username": "test-user"}'7
GenerateStringKey: "password"8
PasswordLength: 169
ExcludeCharacters: '"@/'10
And i’ve created a rotation lambda, but when i rotate the secret i get only plain text format without key/value pair as the following error: The secret value can’t be converted to key name and value pairs.
here’s my lambda code:
JavaScript
1
104
104
1
import boto32
import logging3
import os4
5
logger = logging.getLogger()6
logger.setLevel(logging.INFO)7
8
9
def lambda_handler(event, context):10
11
arn = event['SecretId'] 12
token = event['ClientRequestToken']13
step = event['Step']14
15
# Setup the client16
service_client = boto3.client('secretsmanager')17
18
19
metadata = service_client.describe_secret(SecretId=arn)20
print(metadata)21
22
23
if not metadata['RotationEnabled']:24
logger.error("Secret %s is not enabled for rotation" % arn)25
raise ValueError("Secret %s is not enabled for rotation" % arn)26
27
28
versions = metadata['VersionIdsToStages']29
30
if token not in versions:31
logger.error("Secret version %s has no stage for rotation of secret %s." % (token, arn))32
raise ValueError("Secret version %s has no stage for rotation of secret %s." % (token, arn))33
34
35
if "AWSCURRENT" in versions[token]:36
logger.info("Secret version %s already set as AWSCURRENT for secret %s." % (token, arn))37
return38
elif "AWSPENDING" not in versions[token]:39
logger.error("Secret version %s not set as AWSPENDING for rotation of secret %s." % (token, arn))40
raise ValueError("Secret version %s not set as AWSPENDING for rotation of secret %s." % (token, arn))41
42
43
if step == "createSecret":44
create_secret(service_client, arn, token)45
46
elif step == "setSecret":47
set_secret(service_client, arn, token)48
49
elif step == "testSecret":50
test_secret(service_client, arn, token)51
52
elif step == "finishSecret":53
finish_secret(service_client, arn, token)54
55
else:56
raise ValueError("Invalid step parameter")57
58
59
def create_secret(service_client, arn, token):60
61
# Make sure the current secret exists62
service_client.get_secret_value(SecretId=arn, VersionStage="AWSCURRENT")63
64
# Now try to get the secret version, if that fails, put a new secret65
try:66
service_client.get_secret_value(SecretId=arn, VersionId=token, VersionStage="AWSPENDING")67
68
logger.info("createSecret: Successfully retrieved secret for %s." % arn)69
except service_client.exceptions.ResourceNotFoundException:70
# Get exclude characters from environment variable71
exclude_characters = os.environ['EXCLUDE_CHARACTERS'] if 'EXCLUDE_CHARACTERS' in os.environ else '/@"'\'72
# Generate a random password73
passwd = service_client.get_random_password(ExcludeCharacters=exclude_characters)74
75
# Put the secret76
service_client.put_secret_value(SecretId=arn, ClientRequestToken=token, SecretString=passwd['RandomPassword'], VersionStages=['AWSPENDING'])77
logger.info("createSecret: Successfully put secret for ARN %s and version %s." % (arn, token))78
79
80
def set_secret(service_client, arn, token):81
pass82
83
def test_secret(service_client, arn, token):84
pass85
86
87
def finish_secret(service_client, arn, token):88
# First describe the secret to get the current version89
metadata = service_client.describe_secret(SecretId=arn)90
current_version = None91
for version in metadata["VersionIdsToStages"]:92
print(version)93
if "AWSCURRENT" in metadata["VersionIdsToStages"][version]:94
if version == token:95
# The correct version is already marked as current, return96
logger.info("finishSecret: Version %s already marked as AWSCURRENT for %s" % (version, arn))97
return98
current_version = version99
break100
101
#Finalize by staging the secret version current102
service_client.update_secret_version_stage(SecretId=arn, VersionStage="AWSCURRENT", MoveToVersionId=token, RemoveFromVersionId=current_version)103
logger.info("finishSecret: Successfully set AWSCURRENT stage to version %s for secret %s." % (token, arn))104
Advertisement
Answer
You will need to update the default rotation template so that it generates the new secret in the same format which you have specified in your cloudformation template. By default, the rotation lambda just creates a new secret string and populates only that value. If you add the following lines to the rotation lambda function, your newly rotated secret will be in a JSON format that allows the Web UI to parse it into name/value pairs.
You will need to add import json at the top of your script, and then modify the create_secret function as shown below:
JavaScript
1
22
22
1
def create_secret(service_client, arn, token):2
3
# Make sure the current secret exists4
service_client.get_secret_value(SecretId=arn, VersionStage="AWSCURRENT")5
6
# Now try to get the secret version, if that fails, put a new secret7
try:8
service_client.get_secret_value(SecretId=arn, VersionId=token, VersionStage="AWSPENDING")9
10
logger.info("createSecret: Successfully retrieved secret for %s." % arn)11
except service_client.exceptions.ResourceNotFoundException:12
# Get exclude characters from environment variable13
exclude_characters = os.environ['EXCLUDE_CHARACTERS'] if 'EXCLUDE_CHARACTERS' in os.environ else '/@"'\'14
# Generate a random password15
passwd = service_client.get_random_password(ExcludeCharacters=exclude_characters)16
# Create a username/password JSON object to pass to secrets manager17
generated_passwd = passwd['RandomPassword']18
secret_template = {"password": generated_passwd,"username": "test-user"}19
# Put the secret20
service_client.put_secret_value(SecretId=arn, ClientRequestToken=token, SecretString=json.dumps(secret_template), VersionStages=['AWSPENDING'])21
logger.info("createSecret: Successfully put secret for ARN %s and version %s." % (arn, token))22