AWS secrets manager, 'A previous rotation isn’t complete' when rotating secrets

amazon-web-services aws-secrets-manager
user2599522 picture user2599522 · Apr 24, 2018 · Viewed 7k times · Source

I've created a secret and updated it to have a lambda rotation function

My secret looks like

aws secretsmanager list-secret-version-ids --secret-id envir/username
{
    "Versions": [
        {
            "VersionId": "90179cd3-daa1-48e4-9fe5-dde0a4cf22e4",
            "VersionStages": [
                "AWSPREVIOUS"
            ],
            "LastAccessedDate": 1524528000.0,
            "CreatedDate": 1524568488.358
        },
        {
            "VersionId": "60576823-5d98-4360-af53-7e1f909b88d0",
            "VersionStages": [
                "AWSCURRENT"
            ],
            "LastAccessedDate": 1524528000.0,
            "CreatedDate": 1524568827.466
        }
    ],
    "ARN": "arn:aws:secretsmanager:eu-west-1:8282828282828:secret:username-YdgbPA",
    "Name": "envir/username"
}

and when i try to rotate it, i get this error

An error occurred (InvalidRequestException) when calling the RotateSecret operation: A previous rotation isn’t complete. That rotation will be reattempted.

I can rotate the secret without issues if i trigger the lambda function without issues.

Anyone has any ideas ?

related links:

Answer

John Rotenstein picture John Rotenstein · May 31, 2018

Just a note for people in future who might get the same error...

If you are using the AWS Secrets Manager to rotate an Amazon RDS password, the Secrets Manager will automatically create a Lambda function. This function requires:

  • Access to the Internet (to call the Secrets Manager) OR VPC endpoint for Secrets Manager service in subnet/subnets associated with the lambda function
  • Access to the RDS instance (to login and change the password)

As such, the following combinations work:

  • Publicly accessible database (bad for security) with a Lambda function that is not attached to a VPC, OR
  • The Lambda function in a private subnet with a NAT Gateway in the public subnet (so the Lambda function can access the Internet) OR an Elastic IP Address attached to the Lambda function's ENI

Also, the Security Group attached to the database needs to permit inbound access from the Lambda function. By default, the Lambda function is assigned the same security group as used by the database, so either:

  • Edit the database security group to permit inbound connections from itself (that is, from Lambda to the database via the same security group), OR
  • Change the security group that is used by the Lambda function to one that is currently permitted to access the database security group

Related questions

Using AWS Secrets Manager with Python (Lambda Console)

I am attempting to use Secrets Manager a Lambda function in AWS. Secrets a manager is used to store database credentials to Snowflake (username, password). I managed to set up a secret in Secrets Manager which contains several key/value …

Read More
Parsing secrets from AWS secrets manager using AWS cli

I am retrieving secrets I have stored in AWS secrets manager with the AWS cli like this: aws secretsmanager get-secret-value --secret-id secrets Which returns arn:aws:secretsmanager<ID>:secret:my_secrets <number> my_secrets {"API_KEY":"…

Read More
How to integrate AWS Secret Manager with Spring Boot Application

I have a requirement to retrieve credentials from AWS Secret Manager, and I found that I need to add the gradle dependency for the following starter spring-cloud-starter-aws-secrets-manager-config Also, i found that I need to add the following settings in Bootstrap.…

Read More