Rotation by Lambda function

For many types of secrets, Secrets Manager uses an Amazon Lambda function to update the secret and the database or service. For information about the costs of using a Lambda function, see Pricing.

For some Managed secrets, you use managed rotation. To use Managed rotation, you first create the secret through the managing service.

During rotation, Secrets Manager logs events that indicate the state of rotation. For more information, see Log Amazon Secrets Manager events with Amazon CloudTrail.

To rotate a secret, Secrets Manager calls a Lambda function according to the rotation schedule you set up. If you also manually update your secret value while automatic rotation is set up, then Secrets Manager considers that a valid rotation when it calculates the next rotation date.

During rotation, Secrets Manager calls the same function several times, each time with different parameters. Secrets Manager invokes the function with the following JSON request structure of parameters:


{
    "Step" : "request.type",
    "SecretId" : "string",
    "ClientRequestToken" : "string"
    }

If any rotation step fails, Secrets Manager retries the entire rotation process multiple times.

Topics

Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Managed rotation

Automatic rotation for database secrets