Rotation by Lambda function - Amazon Secrets Manager
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Rotation by Lambda function

For many types of secrets, Secrets Manager uses an Amazon Lambda function to update the secret and the database or service. For information about the costs of using a Lambda function, see Pricing.

For some Managed secrets, you use managed rotation. To use Managed rotation, you first create the secret through the managing service.

During rotation, Secrets Manager logs events that indicate the state of rotation. For more information, see Log Amazon Secrets Manager events with Amazon CloudTrail.

To rotate a secret, Secrets Manager calls a Lambda function according to the rotation schedule you set up. If you also manually update your secret value while automatic rotation is set up, then Secrets Manager considers that a valid rotation when it calculates the next rotation date.

During rotation, Secrets Manager calls the same function several times, each time with different parameters. Secrets Manager invokes the function with the following JSON request structure of parameters:

{ "Step" : "request.type", "SecretId" : "string", "ClientRequestToken" : "string" }

If any rotation step fails, Secrets Manager retries the entire rotation process multiple times.