{"id":51146341,"url":"https://github.com/jfrog/jfrog-secret-rotator-lambda","last_synced_at":"2026-06-26T03:01:30.739Z","repository":{"id":327218083,"uuid":"1089525335","full_name":"jfrog/jfrog-secret-rotator-lambda","owner":"jfrog","description":"AWS Lambda for secret rotations with JFrog tokens, to be used on ECS tasks for pulling images stored on JFrog platform","archived":false,"fork":false,"pushed_at":"2025-12-02T11:42:41.000Z","size":28,"stargazers_count":9,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2025-12-05T08:30:41.570Z","etag":null,"topics":["ecs","jfrog","lambda"],"latest_commit_sha":null,"homepage":"","language":"HCL","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/jfrog.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":"NOTICE","maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2025-11-04T13:12:33.000Z","updated_at":"2025-12-04T17:26:41.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/jfrog/jfrog-secret-rotator-lambda","commit_stats":null,"previous_names":["jfrog/jfrog-secret-rotator-lambda"],"tags_count":null,"template":false,"template_full_name":null,"purl":"pkg:github/jfrog/jfrog-secret-rotator-lambda","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jfrog%2Fjfrog-secret-rotator-lambda","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jfrog%2Fjfrog-secret-rotator-lambda/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jfrog%2Fjfrog-secret-rotator-lambda/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jfrog%2Fjfrog-secret-rotator-lambda/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/jfrog","download_url":"https://codeload.github.com/jfrog/jfrog-secret-rotator-lambda/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jfrog%2Fjfrog-secret-rotator-lambda/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":34801014,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-06-26T02:00:06.560Z","response_time":106,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["ecs","jfrog","lambda"],"created_at":"2026-06-26T03:01:29.891Z","updated_at":"2026-06-26T03:01:30.705Z","avatar_url":"https://github.com/jfrog.png","language":"HCL","funding_links":[],"categories":[],"sub_categories":[],"readme":"# JFrog Token Rotator Lambda for AWS Secret\n\nThis repo provides an [AWS Lambda](https://aws.amazon.com/lambda/) function for automatic rotation of [JFrog access tokens](https://jfrog.com/help/r/jfrog-platform-administration-documentation/access-tokens) stored in [AWS Secrets Manager](https://aws.amazon.com/secrets-manager/). It securely generates and rotates short-lived JFrog tokens using your Lambda's IAM role, without manual intervention.\n\n## Overview\n\nThis solution lets [AWS ECS](https://aws.amazon.com/ecs/) tasks pull private registry container images using short-lived JFrog tokens, automatically rotated in AWS Secrets Manager by the Lambda function. This removes the need for long-lived, manually rotated tokens.\n\nThe [lambda function](./lambda_function.py) performs automatic rotation of JFrog access tokens into the AWS secret by the below lambda events:\n1. **Creating:** A new JFrog access token using AWS IAM credentials\n2. **Setting:** This step is not needed so function is skipped\n3. **Testing:** The new token to ensure it works correctly\n4. **Finishing:** the rotation by promoting the new token to current\n\n## How the lambda code Works\n\n### 1. createSecret Step\n\n- Retrieves AWS IAM credentials from the lambda execution role\n- Creates a signed request to JFrog's AWS token endpoint\n- Exchanges AWS credentials for a JFrog access token\n- Stores the new token in Secrets Manager with `AWSPENDING` stage\n\n### 2. testSecret Step\n\n- Performs token test by calling the JFrog access readiness endpoint with the `Authorization` header container the created token\n\n### 3. finishSecret Step\n\n- Promotes the `AWSPENDING` token to `AWSCURRENT`\n- Removes the old token version from `AWSCURRENT` stage\n\n## Token Exchange Process\n\nThe function uses AWS SigV4 authentication to exchange IAM credentials for JFrog tokens:\n\n## Architecture\n\nThe rotation process follows the AWS Secrets Manager's three-step rotation pattern:\n```\n┌─────────────┐    ┌─────────────┐    ┌─────────────┐\n│ createSecret│ -\u003e │ testSecret  │ -\u003e │finishSecret │\n└─────────────┘    └─────────────┘    └─────────────┘\n```\n\n## Prerequisites\n\n- The [AWS CLI](https://aws.amazon.com/cli/) configured with the appropriate permissions\n- A JFrog Artifactory instance with a JFrog user tagged with IAM Role ARN (see the JFrog user section)\n- Python 3.9 or newer\n- Required AWS IAM permissions (see IAM Permissions section)\n\n## Limitations\n\nThis lambda works on regional STS authentication based on the lambda region\n\n## Environment Variables\n\nThe lambda function requires the following environment variables:\n\n| Variable | Description | Required | Example |\n|----------|-------------|----------|---------|\n| `JFROG_HOST` | JFrog Artifactory hostname | Yes | `mycompany.jfrog.io` |\n| `SECRET_TTL` | Token expiration time in seconds | Yes | `21600` |\n\n## Lambda IAM Permissions\n\nThe lambda execution role requires the following permissions:\n\n### Secrets Manager Permissions\n\nLambda permissions should include:\n- STS assume role and GetCallerIdentity for allowing the token exchange operation\n- secretsmanager secrets operation for allowing the function to get/read and push new secrets\n- logs operations for logging lambda troubleshooting messages   \n- lambda:GetFunctionConfiguration to allow getting lambda configuration, for example, get lambda ROLE ARN\n\nNotice: The policy below can become more strict by limiting resources permitted, for example: assumed roles, secrest access etc...\n\n# Manual Setup\n\n## 1. Create the lambda IAM role \u0026 permissions\n\n```bash\n#Create lambda IAM Role\naws iam create-role \\\n  --role-name jfrog_secret_rotation_lambda \\\n  --assume-role-policy-document '{\n    \"Version\": \"2012-10-17\",\n    \"Statement\": [\n      {\n        \"Effect\": \"Allow\",\n        \"Principal\": {\n          \"Service\": \"lambda.amazonaws.com\"\n        },\n        \"Action\": \"sts:AssumeRole\"\n      }\n    ]\n  }' \\\n  --description \"IAM role for JFrog secret rotation Lambda function\"\n\n# Attach the permissions policy\naws iam put-role-policy \\\n  --role-name jfrog_secret_rotation_lambda \\\n  --policy-name jfrog_secret_rotation_policy \\\n  --policy-document '{\n    \"Version\": \"2012-10-17\",\n    \"Statement\": [\n      {\n        \"Effect\": \"Allow\",\n        \"Action\": [\n          \"secretsmanager:DescribeSecret\",\n          \"secretsmanager:UpdateSecretVersionStage\"\n        ],\n        \"Resource\": \"arn:aws:secretsmanager:*:\u003caccount_id\u003e:secret:*\"\n      },\n      {\n        \"Effect\": \"Allow\",\n        \"Action\": [          \n          \"secretsmanager:GetSecretValue\",\n          \"secretsmanager:PutSecretValue\"          \n        ],\n        \"Resource\": \"\u003cfull secret ARN\u003e\"\n      },\n      {\n        \"Effect\": \"Allow\",\n        \"Action\": [\n          \"lambda:GetFunctionConfiguration\"\n        ],\n        \"Resource\": \"arn:aws:lambda:*:*:function:*\"\n      },\n      {\n        \"Effect\": \"Allow\",\n        \"Action\": [\n          \"sts:GetCallerIdentity\",\n          \"sts:AssumeRole\"\n        ],\n        \"Resource\": \"arn:aws:iam::\u003caccount_id\u003e:role/jfrog_secret_rotation_lambda\"\n      },\n      {\n        \"Effect\": \"Allow\",\n        \"Action\": [\n          \"logs:CreateLogGroup\",\n          \"logs:CreateLogStream\",\n          \"logs:PutLogEvents\"\n        ],\n        \"Resource\": \"arn:aws:logs:*:*:*\"\n      }\n    ]\n  }'\n```\n\n## 2. Lambda creation\n\n### 2.1. Package \u0026 Push the Lambda Function as a Container Image\n\n```bash\n# Build the lambda container image\ndocker buildx build --platform linux/amd64 --provenance=false -t docker-image:test .\n\n# Upload the docker to AWS ECR\n\n# Login to AWS ECR\naws ecr get-login-password --region \u003cregion\u003e | docker login --username AWS --password-stdin \u003caccount_id\u003e.dkr.ecr.\u003cregion\u003e.amazonaws.com\n\n# Create an ECR repo\naws ecr create-repository --repository-name jfrog-secret-rotator-lambda --region \u003cregion\u003e --image-scanning-configuration scanOnPush=true --image-tag-mutability MUTABLE\n\n# Take the repositoryUri from the response and use it to tag the image\ndocker tag docker-image:test \u003caccount_id\u003e.dkr.ecr.\u003cregion\u003e.amazonaws.com/jfrog-secret-rotator-lambda:latest\n\n# Push the image to ECR\ndocker push docker-image:test \u003caccount_id\u003e.dkr.ecr.\u003cregion\u003e.amazonaws.com/jfrog-secret-rotator-lambda:latest\n\n```\n\n### 2.2 Create the lambda Function with the previously created permissions\n\n```bash\n# Create the lambda function from the pushed image and with the IAM role previously created \naws lambda create-function \\\n  --function-name jfrog-secret-rotator-lambda \\\n  --package-type Image \\\n  --code ImageUri=\u003caccount_id\u003e.dkr.ecr.\u003cregion\u003e.amazonaws.com/jfrog-secret-rotator-lambda:latest \\\n  --role arn:aws:iam::\u003caccount_id\u003e:role/jfrog_secret_rotation_lambda \\\n  --environment Variables=\"{JFROG_HOST=\u003chost\u003e,SECRET_TTL=21600}\" \\\n  --region=\u003cregion\u003e \\\n  --description \"JFrog access token rotation based on Lambda IAM role\"\n\n# Add Resource-based policy statements to the lambda function with permission policy that grants access to the principal: secretsmanager.amazonaws.com to action: lambda:InvokeFunction, this allows the secret call our lambda function for rotation\naws lambda add-permission \\\n    --function-name jfrog-secret-rotator-lambda \\\n    --statement-id secretsmanager-invoke \\\n    --action lambda:InvokeFunction \\\n    --principal secretsmanager.amazonaws.com \\\n    --region=\u003cregion\u003e\n```\n\n## 3. Configure AWS Secrets Manager secret\n\n```bash\n# Create a secret for JFrog token\naws secretsmanager create-secret \\\n    --name \"jfrog/access-token\" \\\n    --region \u003cregion\u003e \\\n    --description \"JFrog Artifactory access token\" \\\n    --secret-string '{\"token\":\"any-initial-token-value\"}'\n\n# Configure rotation schedule\n# Important! rotation schedule MUST be shorter than the SECRET_TTL defined for the lambda function, or the token will expire before a new one is rotated, in this example we use token TTL of 6 hours (21600 seconds) for 4 hours rotation of the AWS secret\naws secretsmanager rotate-secret \\\n    --secret-id \"jfrog/access-token\" \\\n    --region \u003cregion\u003e \\\n    --rotation-lambda-arn \"arn:aws:lambda:\u003cregion\u003e:\u003caccount_id\u003e:function:jfrog-secret-rotator-lambda\" \\\n    --rotation-rules  ScheduleExpression=\"rate(4 hours)\",Duration=\"4h\"\n```\n\n### 4. Tag a JFrog user\n\n```bash\n# Tag a jfrog user with the lambda IAM Role ARN so the token exchange would return that user's token \ncurl -XPUT \"https://\u003cjfrog host\u003e/access/api/v1/aws/iam_role\" \\\n     -H \"Content-type: application/json\" \\\n     -H \"Authorization: Bearer \u003cJFrog admin token\u003e\" -d '{\"username\": \"\u003cjfrog username\u003e\", \"iam_role\": \"arn:aws:iam::\u003caccount_id\u003e:role/jfrog_secret_rotation_lambda\"}'\n\n# Validate use is indeed tagged with\ncurl -XGET  \"https://\u003cjfrog host\u003e/access/api/v1/aws/iam_role/\u003cjfrog username\u003e\" -H \"Authorization: Bearer \u003cJFrog admin token\u003e\"\n```\n\n## Usage\n\n### Testing Manual Rotation\n\nTo manually trigger a rotation:\n\n```bash\n# Rotate secret\naws secretsmanager rotate-secret --secret-id \"jfrog/access-token\"\n\n# Once rotated, you can watch the Cloudwatch logs for log group /aws/lambda/jfrog-secret-rotator-lambda\n\n# Check the rotated secret value using:\naws secretsmanager get-secret-value --secret-id jfrog/access-token --region \u003cregion\u003e --version-stage AWSCURRENT\n```\n\n### Use with an ECS task\n\nCreate an ECS task definition marking the task as pulling from private registry.\n\nSet your image name and JFrog image and tag for example `my-platform.jfrog.io/docker/\u003cDOCKER_IMAGE\u003e:\u003cDOCKER_TAG\u003e`.\n\nMake sure the Task execution role contains permissions to decrypt and get the secret: \n```json\n{\n    \"Version\": \"2012-10-17\",\n    \"Statement\": [\n        {\n            \"Effect\": \"Allow\",\n            \"Action\": [\n                \"kms:Decrypt\",\n                \"secretsmanager:GetSecretValue\"\n            ],\n            \"Resource\": [\n                \"\u003csecret-arn\u003e\"\n            ]\n        }\n    ]\n} \n```\n\n## Monitoring and Logging\n\nThe function logs important events at each rotation step.\n\nMonitor CloudWatch logs for rotation status and any errors.\n\n# Terraform Setup Example\n\nThis repository includes a [Terraform example configuration](./terraform-example/) that automates the setup of the required infrastructure resources.\n\nThere is also an optional example of an [ECS cluster](./terraform-example/ecs.tf) and task creation to show how you can also setup your ECS to use the created resources for a seamless integration with JFrog as its private container registry. You enable it with the terraform variable `enable_ecs` (which defaults to `false`).\n\n## What Terraform Does\n\nThe Terraform configuration creates a complete end-to-end infrastructure:\n\n1. **Lambda Function \u0026 IAM Role** - Deploys Lambda from ECR with IAM permissions for secret rotation.\n2. **AWS Secrets Manager** - Creates and rotates a JFrog access token secret automatically.\n3. **JFrog Integration** - Assigns the Lambda IAM role to the specified JFrog user via API.\n4. **VPC Infrastructure** - Provisions VPC, subnets, gateways, and VPC endpoints for secure networking.\n5. **(Optionally) ECS Deployment Example** - Deploys ECS Fargate cluster and nginx service behind an ALB using the secret.\n\n## How to Run\n\n### Prerequisites\n\n- [Terraform](https://terraform.io) \u003e= 1.0 installed\n- AWS CLI configured with the appropriate credentials\n- ECR image already built and pushed (see section 2.1 for manual setup)\n- JFrog admin access token for API authentication\n\n### Step 1: Configure Variables\n\nEdit `terraform-example/terraform.tfvars` with your values:\n\n```hcl\nregion = \"eu-central-1\"\n\necr_image_uri = \"YOUR_ACCOUNT_ID.dkr.ecr.YOUR_REGION.amazonaws.com/jfrog-secret-rotator-lambda:latest\"\n\njfrog_host = \"your-company.jfrog.io\"\n\njfrog_admin_username = \"your-jfrog-username\"\n\njfrog_admin_token = \"your-jfrog-admin-token\"\n\nalb_allowed_cidr_blocks = [\"YOUR_IP/32\"]  # Optional: restrict ALB access\n\nenable_ecs = false\n\ntags = {\n  Environment = \"Demo\"\n  Group       = \"CTO\"\n  ManagedBy   = \"terraform\"\n}\n```\n\n### Step 2: Initialize Terraform\n\n```bash\ncd terraform-example\nterraform init\n```\n\n### Step 3: Review the Plan\n\n```bash\nterraform plan\n```\n\nThis will show you all resources that will be created. Review the plan carefully.\n\n### Step 4: Apply the Configuration\n\n```bash\nterraform apply\n```\n\nTerraform will prompt you to confirm. Type `yes` to proceed. The deployment typically takes 10-15 minutes.\n\n### Step 5: Note Important Outputs\n\nAfter successful deployment, Terraform will output:\n\n- `secret_name`: Name of the created secret\n- `secret_arn`: ARN of the secret (useful for ECS task definitions)\n- `function_name`: Lambda function name\n- `iam_role_arn`: IAM role ARN (used for JFrog user tagging)\n- `ecs_service_name`: The ECS cluster name\n- `ecs_service_name`: The ECS service name\n- `alb_dns_name`: ALB DNS name for accessing the ECS service (if enabled)\n- `nginx_endpoint`: Full URL to test the nginx service (if enabled)\n\n## How to Test/Validate\n\n### 1. Verify Secret Rotation\n\nCheck if the secret rotation is working:\n\n```bash\n# Get the secret name from Terraform outputs\ncd terraform\nSECRET_NAME=$(terraform output -raw secret_name)\nREGION=$(terraform output -raw region 2\u003e/dev/null || echo \"eu-central-1\")  # Use your region from tfvars\n\n# Manually trigger a rotation\naws secretsmanager rotate-secret --secret-id \"$SECRET_NAME\" --region \"$REGION\"\n\n# Wait a few minutes, then check the secret value\naws secretsmanager get-secret-value \\\n  --secret-id \"$SECRET_NAME\" \\\n  --version-stage AWSCURRENT \\\n  --region \"$REGION\"\n```\n\n### 2. Check Lambda Function Logs\n\n```bash\nFUNCTION_NAME=$(terraform output -raw function_name)\nREGION=$(terraform output -raw region 2\u003e/dev/null || echo \"eu-central-1\")  # Use your region from tfvars\n\n# View recent logs\naws logs tail /aws/lambda/$FUNCTION_NAME --follow --region \"$REGION\"\n```\n\n### 3. Verify ECS Service\n\n```bash\nCLUSTER_NAME=$(terraform output -raw ecs_cluster_name)\nSERVICE_NAME=$(terraform output -raw ecs_service_name)\nREGION=$(terraform output -raw region 2\u003e/dev/null || echo \"eu-central-1\")  # Use your region from tfvars\n\n# Check service status\naws ecs describe-services \\\n  --cluster \"$CLUSTER_NAME\" \\\n  --services \"$SERVICE_NAME\" \\\n  --region \"$REGION\"\n\n# Check running tasks\naws ecs list-tasks \\\n  --cluster \"$CLUSTER_NAME\" \\\n  --service-name \"$SERVICE_NAME\" \\\n  --region \"$REGION\"\n```\n\n### 4. Test the ALB Endpoint\n\n```bash\n# Get the ALB endpoint\nALB_ENDPOINT=$(terraform output -raw nginx_endpoint)\n\n# Test the endpoint\ncurl \"$ALB_ENDPOINT\"\n```\n\nYou should see the nginx welcome page if the service is running correctly and the secret is being used to pull the image from JFrog.\n\n### 5. Verify JFrog User Tagging\n\n```bash\n# Get the IAM role ARN from outputs\nIAM_ROLE_ARN=$(terraform output -raw iam_role_arn)\n\n# Use values from terraform.tfvars (replace with your actual values)\n# JFROG_HOST=\"your-company.jfrog.io\"  # From terraform.tfvars\n# JFROG_USERNAME=\"your-username\"     # From terraform.tfvars\n\n# Verify the JFrog user is tagged (replace placeholders with your values)\ncurl -XGET \"https://YOUR_JFROG_HOST/access/api/v1/aws/iam_role/YOUR_JFROG_USERNAME\" \\\n  -H \"Authorization: Bearer YOUR_JFROG_ADMIN_TOKEN\"\n```\n\n### 6. Monitor Secret Rotation\n\nCheck CloudWatch metrics for rotation:\n\n```bash\nSECRET_ARN=$(terraform output -raw secret_arn)\nREGION=$(terraform output -raw region 2\u003e/dev/null || echo \"eu-central-1\")  # Use your region from tfvars\n\naws cloudwatch get-metric-statistics \\\n  --namespace AWS/SecretsManager \\\n  --metric-name SecretRotation \\\n  --dimensions Name=SecretId,Value=\"$SECRET_ARN\" \\\n  --start-time $(date -u -d '1 hour ago' +%Y-%m-%dT%H:%M:%S) \\\n  --end-time $(date -u +%Y-%m-%dT%H:%M:%S) \\\n  --period 3600 \\\n  --statistics Sum \\\n  --region \"$REGION\"\n```\n\n## How to Cleanup\n\nTo destroy all resources created by Terraform:\n\n```bash\ncd terraform\n\n# Review what will be destroyed\nterraform plan -destroy\n\n# Destroy all resources\nterraform destroy\n```\n\n**Important Notes for Cleanup:**\n\n1. **Secret Recovery Window**: The secret is configured with `recovery_window_in_days = 0`, so it will be deleted immediately when destroyed. If you need to recover it, you have no recovery window.\n\n2. **Dependencies**: Some resources may take time to delete (e.g., NAT Gateway, ALB). Be patient during the destroy process.\n\n3. **Manual Cleanup**: If `terraform destroy` fails or gets stuck, you may need to manually clean up:\n   - ECS service and tasks\n   - Load balancer and target groups\n   - NAT Gateway and Elastic IPs\n   - VPC endpoints\n\n4. **JFrog User Tag**: The JFrog user IAM role tag is not automatically removed. If you want to remove it manually:\n   ```bash\n   curl -XDELETE \"https://YOUR_JFROG_HOST/access/api/v1/aws/iam_role/YOUR_JFROG_USERNAME\" \\\n     -H \"Authorization: Bearer YOUR_JFROG_ADMIN_TOKEN\"\n   ```\n\n5. **ECR Image**: The Terraform configuration does not manage the ECR repository or image. You'll need to manually delete the ECR repository if you want to remove it:\n   ```bash\n   aws ecr delete-repository \\\n     --repository-name jfrog-secret-rotator-lambda \\\n     --force \\\n     --region YOUR_REGION\n   ```\n\n# Troubleshooting\n### Common Issues\n\n1. **Permission Denied**: Ensure the lambda execution role has all required permissions\n2. **Token Exchange Failure**: Verify JFrog host configuration and JFrog user tagging\n3. **Secret Not Found**: Check that the secret exists and rotation is enabled\n4. **Invalid Token**: Ensure the secret TTL is appropriate for your use case\n5. **Invalid Token**: Ensure that the Secret rotation schedule and Token configured TTL are aligned (Token TTL should be longer than secret rotation)\n6. **Corrupted Secret Version** remove the secret version, for example:\n```bash\n aws secretsmanager update-secret-version-stage \\\n    --secret-id \"jfrog/access-token\" \\\n    --version-stage \"AWSPENDING\" \\\n    --remove-from-version-id \"version-id-to-remove\" \n```\n\n# Security Considerations\n\n- The lambda function uses AWS IAM roles for authentication (no hardcoded credentials)\n- Tokens are stored securely in AWS Secrets Manager\n- All API calls are signed using AWS SigV4 authentication\n- Token TTL and Secret Rotation schedule can be configured based on security requirements\n\n# License\n\nApache-2.0\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjfrog%2Fjfrog-secret-rotator-lambda","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fjfrog%2Fjfrog-secret-rotator-lambda","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjfrog%2Fjfrog-secret-rotator-lambda/lists"}