Welcome to OStack Knowledge Sharing Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
1.3k views
in Technique[技术] by (71.8m points)

amazon web services - How to use new secret created by key rotation from AWS Secrets Manager

I have a Java application using MongoDB (or it could be any service like that). On start up, the app creates a singleton connection to database. To connect, I get the MongoDB from AWS Secrets Manager... and thus the application runs merrily ever after communicating with MongoDB.

My question is: What happens when AWS Secrets Manager rotates keys?

  • How does my app come to 'know' that secret has been rotated.
  • Do I have to synchronize the timing between Secrets Manager and my app?

e.g. rotation is set to 7 days. So I code in my app to refresh every 7 days... not good, as very hard to time precisely.

Another way could be, if my app faces authentication exception, just refresh password and make a new connection and retry app logic.

What is the industry standard?

See Question&Answers more detail:os

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Answer

0 votes
by (71.8m points)

How does my app come to 'know' that secret has been rotated?

-AWS Secrets Manager publishes the CloudTrail event - 'RotationSucceeded' when rotation succeeds and the cloudtrail event 'RotationFailed' when rotation fails. You can setup a cloudwatch rule on this cloudtrail event - https://docs.aws.amazon.com/AmazonCloudWatch/latest/events/Create-CloudWatch-Events-CloudTrail-Rule.html

and have a SNS or a Lambda setup as the target for the rule and execute any logic you want after rotation succeeds


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome to OStack Knowledge Sharing Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...