This is the new Amazon CloudFormation Template Reference Guide. Please update your bookmarks and links. For help getting started with CloudFormation, see the Amazon CloudFormation User Guide.
AWS::SecretsManager::RotationSchedule HostedRotationLambda
Creates a new Lambda rotation function based on one of the Secrets Manager rotation function templates.
You must specify Transform:
AWS::SecretsManager-2024-09-16 at the beginning of the CloudFormation
template.
For Amazon RDS master user credentials, see AWS::RDS::DBCluster MasterUserSecret.
For Amazon Redshift admin user credentials, see AWS::Redshift::Cluster.
Syntax
To declare this entity in your Amazon CloudFormation template, use the following syntax:
JSON
{ "ExcludeCharacters" :String, "KmsKeyArn" :String, "MasterSecretArn" :String, "MasterSecretKmsKeyArn" :String, "RotationLambdaName" :String, "RotationType" :String, "Runtime" :String, "SuperuserSecretArn" :String, "SuperuserSecretKmsKeyArn" :String, "VpcSecurityGroupIds" :String, "VpcSubnetIds" :String}
YAML
ExcludeCharacters:StringKmsKeyArn:StringMasterSecretArn:StringMasterSecretKmsKeyArn:StringRotationLambdaName:StringRotationType:StringRuntime:StringSuperuserSecretArn:StringSuperuserSecretKmsKeyArn:StringVpcSecurityGroupIds:StringVpcSubnetIds:String
Properties
ExcludeCharacters-
A string of the characters that you don't want in the password.
Required: No
Type: String
Update requires: No interruption
KmsKeyArn-
The ARN of the KMS key that Secrets Manager uses to encrypt the secret. If you don't specify this value, then Secrets Manager uses the key
aws/secretsmanager. Ifaws/secretsmanagerdoesn't yet exist, then Secrets Manager creates it for you automatically the first time it encrypts the secret value.Required: No
Type: String
Update requires: No interruption
MasterSecretArn-
The ARN of the secret that contains superuser credentials, if you use the Alternating users rotation strategy. CloudFormation grants the execution role for the Lambda rotation function
GetSecretValuepermission to the secret in this property. For more information, see Lambda rotation function execution role permissions for Secrets Manager.You must create the superuser secret before you can set this property.
You must also include the superuser secret ARN as a key in the JSON of the rotating secret so that the Lambda rotation function can find it. CloudFormation does not hardcode secret ARNs in the Lambda rotation function, so you can use the function to rotate multiple secrets. For more information, see JSON structure of Secrets Manager secrets.
You can specify
MasterSecretArnorSuperuserSecretArnbut not both. They represent the same superuser secret.Required: No
Type: String
Update requires: No interruption
MasterSecretKmsKeyArn-
The ARN of the KMS key that Secrets Manager used to encrypt the superuser secret, if you use the alternating users strategy and the superuser secret is encrypted with a customer managed key. You don't need to specify this property if the superuser secret is encrypted using the key
aws/secretsmanager. CloudFormation grants the execution role for the Lambda rotation functionDecrypt,DescribeKey, andGenerateDataKeypermission to the key in this property. For more information, see Lambda rotation function execution role permissions for Secrets Manager.You can specify
MasterSecretKmsKeyArnorSuperuserSecretKmsKeyArnbut not both. They represent the same superuser secret KMS key.Required: No
Type: String
Update requires: No interruption
RotationLambdaName-
The name of the Lambda rotation function.
Required: No
Type: String
Update requires: No interruption
RotationType-
The rotation template to base the rotation function on, one of the following:
-
Db2SingleUserto use the template SecretsManagerRDSDb2RotationSingleUser. -
Db2MultiUserto use the template SecretsManagerRDSDb2RotationMultiUser. -
MySQLSingleUserto use the template SecretsManagerRDSMySQLRotationSingleUser. -
MySQLMultiUserto use the template SecretsManagerRDSMySQLRotationMultiUser. -
PostgreSQLSingleUserto use the template SecretsManagerRDSPostgreSQLRotationSingleUser -
PostgreSQLMultiUserto use the template SecretsManagerRDSPostgreSQLRotationMultiUser. -
OracleSingleUserto use the template SecretsManagerRDSOracleRotationSingleUser. -
OracleMultiUserto use the template SecretsManagerRDSOracleRotationMultiUser. -
MariaDBSingleUserto use the template SecretsManagerRDSMariaDBRotationSingleUser. -
MariaDBMultiUserto use the template SecretsManagerRDSMariaDBRotationMultiUser. -
SQLServerSingleUserto use the template SecretsManagerRDSSQLServerRotationSingleUser. -
SQLServerMultiUserto use the template SecretsManagerRDSSQLServerRotationMultiUser. -
RedshiftSingleUserto use the template SecretsManagerRedshiftRotationSingleUsr. -
RedshiftMultiUserto use the template SecretsManagerRedshiftRotationMultiUser. -
MongoDBSingleUserto use the template SecretsManagerMongoDBRotationSingleUser. -
MongoDBMultiUserto use the template SecretsManagerMongoDBRotationMultiUser.
Required: Yes
Type: String
Update requires: No interruption
-
Runtime-
Important
Do not set this value if you are using
Transform: AWS::SecretsManager-2024-09-16. Over time, the updated rotation lambda artifacts vended by Amazon may not be compatible with the code or shared object files defined in the rotation function deployment package.Only define the
Runtimekey if:-
You are using
Transform: AWS::SecretsManager-2020-07-23. -
The code or shared object files defined in the rotation function deployment package are incompatible with Python 3.9.
The Python Runtime version for with the rotation function. By default, CloudFormation deploys Python 3.9 binaries for the rotation function. To use a different version of Python, you must do the following two steps:
-
Deploy the matching version Python binaries with your rotation function.
-
Set the version number in this field. For example, for Python 3.7, enter python3.7.
If you only do one of the steps, your rotation function will be incompatible with the binaries. For more information, see Why did my Lambda rotation function fail with a "pg module not found" error
. Required: No
Type: String
Update requires: No interruption
-
SuperuserSecretArn-
The ARN of the secret that contains superuser credentials, if you use the Alternating users rotation strategy. CloudFormation grants the execution role for the Lambda rotation function
GetSecretValuepermission to the secret in this property. For more information, see Lambda rotation function execution role permissions for Secrets Manager.You must create the superuser secret before you can set this property.
You must also include the superuser secret ARN as a key in the JSON of the rotating secret so that the Lambda rotation function can find it. CloudFormation does not hardcode secret ARNs in the Lambda rotation function, so you can use the function to rotate multiple secrets. For more information, see JSON structure of Secrets Manager secrets.
You can specify
MasterSecretArnorSuperuserSecretArnbut not both. They represent the same superuser secret.Required: No
Type: String
Update requires: No interruption
SuperuserSecretKmsKeyArn-
The ARN of the KMS key that Secrets Manager used to encrypt the superuser secret, if you use the alternating users strategy and the superuser secret is encrypted with a customer managed key. You don't need to specify this property if the superuser secret is encrypted using the key
aws/secretsmanager. CloudFormation grants the execution role for the Lambda rotation functionDecrypt,DescribeKey, andGenerateDataKeypermission to the key in this property. For more information, see Lambda rotation function execution role permissions for Secrets Manager.You can specify
MasterSecretKmsKeyArnorSuperuserSecretKmsKeyArnbut not both. They represent the same superuser secret KMS key.Required: No
Type: String
Update requires: No interruption
VpcSecurityGroupIds-
A comma-separated list of security group IDs applied to the target database.
The template applies the same security groups as on the Lambda rotation function that is created as part of this stack.
Required: No
Type: String
Update requires: No interruption
VpcSubnetIds-
A comma separated list of VPC subnet IDs of the target database network. The Lambda rotation function is in the same subnet group.
Required: No
Type: String
Update requires: No interruption