A lambda for rotating an RSA key pair stored in AWS Secrets Manager.
If you want to store an RSA key pair in AWS Secrets Manager and have it automatically rotated, this lambda is for you!
- awscli w/ valid credentials
- docker
- make
- git clone https://github.com/brianrower/aws-secrets-manager-rsa-key-rotation-lambda.git
- cd aws-secrets-manager-rsa-key-rotation-lambda
- Edit Makefile.user and fill in values for your region and s3 bucket
- make deploy-lambda
- Use docker to pull down a python environment and build a lambda package with the code provided in this repositories src directory ** this results in a zip file being created in the 'target' directory, this zip file is a lambda package
- Use awscli to copy the lambda package to your S3 bucket as defined in the LAMBDA_PACKAGE_BUCKET environment variable
- Use awscli to create a cloudformation stack containing an IAM role with the required secrets manager poilicy, and a lambda using the previously created lambda package
After deploying this lambda into your environment, you'll want to connect it with secrets in the secret manager, here's how to do that:
- When creating a new secret in the AWS console, when promted with the options "Disable automatic rotation" and "Enable automatic rotation", select "Enable automatic rotation".
- Select you desired rotation interval
- In the "Choose an AWS Lambda function" box, find & select the lambda that was deployed (search for "secrets-manager-rsa")
- After selecting next and storing your secret, it will automatically run the rotation lambda to create an RSA key pair
Using cfn-secret-provider you can create a Cloud Formation template that includes this RSA key rotation lambda and an AWS Secrets Manager secret that is created and rotated by this key lambda. See the demo template for an example showing this.
Suggestions, feature requests, and pull requests are welcome. Feel free to open an issue to get the ball rolling.