{"id":19685403,"url":"https://github.com/kislerdm/aws-lambda-secret-rotation","last_synced_at":"2025-04-29T06:30:44.674Z","repository":{"id":65423925,"uuid":"587498270","full_name":"kislerdm/aws-lambda-secret-rotation","owner":"kislerdm","description":"AWS Lambda to rotate secrets in AWS Secretsmanager","archived":false,"fork":false,"pushed_at":"2023-07-26T20:22:44.000Z","size":162,"stargazers_count":2,"open_issues_count":7,"forks_count":1,"subscribers_count":1,"default_branch":"master","last_synced_at":"2024-06-22T09:53:46.122Z","etag":null,"topics":["automation","aws","aws-lambda","devops","devsecops","go","go-modules","golang","lambda","security","security-tools"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/kislerdm.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2023-01-10T22:19:18.000Z","updated_at":"2023-10-14T00:06:40.000Z","dependencies_parsed_at":"2024-06-21T08:39:56.627Z","dependency_job_id":"f74b25bc-0766-479c-a694-e0a60e547c7d","html_url":"https://github.com/kislerdm/aws-lambda-secret-rotation","commit_stats":{"total_commits":104,"total_committers":2,"mean_commits":52.0,"dds":"0.019230769230769273","last_synced_commit":"f07dcf0f1b11a41d56ae8bef9437bfb328be18f6"},"previous_names":["kislerdm/neon-dbpassword-rotation-lambda"],"tags_count":10,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kislerdm%2Faws-lambda-secret-rotation","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kislerdm%2Faws-lambda-secret-rotation/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kislerdm%2Faws-lambda-secret-rotation/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kislerdm%2Faws-lambda-secret-rotation/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/kislerdm","download_url":"https://codeload.github.com/kislerdm/aws-lambda-secret-rotation/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":224152504,"owners_count":17264718,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["automation","aws","aws-lambda","devops","devsecops","go","go-modules","golang","lambda","security","security-tools"],"created_at":"2024-11-11T18:21:44.793Z","updated_at":"2024-11-11T18:21:45.227Z","avatar_url":"https://github.com/kislerdm.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# AWS Lambda to rotate Secret in AWS Secretsmanager\n\n[![Go Report Card](https://goreportcard.com/badge/github.com/kislerdm/aws-lambda-secret-rotation)](https://goreportcard.com/report/github.com/kislerdm/aws-lambda-secret-rotation)\n[![codecov](https://codecov.io/github/kislerdm/aws-lambda-secret-rotation/branch/master/graph/badge.svg?token=LABNHF9G1V\u0026flag=lambda)](https://codecov.io/github/kislerdm/aws-lambda-secret-rotation)\n\nAWS Lambda function\nto [rotate](https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotating-secrets.html) secret's version, e.g.\ndatabase access credentials, stored in [AWS Secretsmanager](https://aws.amazon.com/secrets-manager/).\n\n* [How it works](#how-it-works)\n  + [The Lambda Module](#the-lambda-module)\n    - [Plugins](#plugins)\n    - [List of Plugins](#list-of-plugins)\n    - [Plugin Codebase Structure](#plugin-codebase-structure)\n* [Contribution](#contribution)\n* [Development](#development)\n  + [Requirements](#requirements)\n  + [Commands](#commands)\n\n## How it works\n\n\u003cfigure style=\"alignment: center;\"\u003e\n\u003cimg style=\"alignment: center;\" src=\"architecture.svg\" alt=\"architecture-c4-containers\"\u003e\n\u003cfigcaption style=\"alignment: center;\"\u003e[C4 Container] Architecture Diagram.\u003c/figcaption\u003e\n\u003c/figure\u003e\n\nThe diagram illustrates the process of secret's rotation.\n\nUpon invocation, the AWS Lambda's logic executes the\nfollowing [steps](https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotate-secrets_turn-on-for-other.html#rotate-secrets_turn-on-for-other_step5):\n\n1. _Create Secret_: new version of the \"Secret User\" secret is generated and stored in the staging label _AWSPENDING_;\n2. _Set Secret_: newly generated secret's version is set in the \"System delegated credentials store\";\n3. _Test Secret_: newly generated secret's version is tested against the \"System delegated credentials store\";\n4. _Finish Secret_: newly generated secret's version is moved from the stage _AWSPENDING_ to _AWSCURRENT_.\n\n**Note** that the secret is expected to be JSON-encoded.\n\n### The Lambda Module\n\nThe AWS Lambda's logic defined in the Go module is encapsulated in two interfaces:\n\n- `SecretsmanagerClient`: defines communication with the secrets vault, i.e. AWS Secretsmanager;\n- `ServiceClient`: defines communication with the system which credentials are stored in the vault. The interface's\n  methods define the logic to perform the rotation steps 1-3. The client uses the secret \"_Secret Admin_\" to pass\n  authentication and authorization in order to reset the credentials \"_Secret User_\".\n\nThe AWS Lambda handler is defined as the function `Start` configured with the object of the type `Config`. The config\nincludes the following attributes:\n\n- Clients, i.e. instances of `SecretsmanagerClient` and `ServiceClient`;\n- `SecretObj`: the type defining the structure of the secret \"Secret User\";\n- `Debug`: flag to activate debug level logs.\n\n#### Plugins\n\nThe lambda module defines the interfaces and abstract methods only. The implementation for specific \"System delegated\ncredentials store\" is done as a plugin which defines the signatures of `ServiceClient` according to the system's specs.\nEvery plugin is distributed as a separate Go module.\n\n#### List of Plugins\n\n- [neon](plugin/neon): plugin to change user's password in the [Neon](https://neon.tech/) SaaS Postgres service.\n- [confluent](plugin/confluent): plugin to rotate [Confluent Cloud](https://www.confluent.io/) API keys.\n\n#### Plugin Codebase Structure\n\nEvery plugin is stored in the directory [`plugin`](plugin).\n\nIt is recommended to use the template to develop and distribute plugin's codebase:\n\n```commandline\n.\n|-- README.md\n|-- go.mod                \u003c- Definition of Go module: github.com/kislerdm/aws-lambda-secret-rotation/plugin/{{.PluginName}}\n|-- go.sum\n|-- models.go             \u003c- Types defining structure of \"Secret User\" and \"Secret Admin\"         \n|-- serviceclient.go      \u003c- Implementation of `ServiceClient` interface\n|-- serviceclient_test.go\n|-- .release_notes        \u003c- release notes following https://keepachangelog.com/en/1.0.0/\n|   |-- v0.0.1.md\n|   |-- ...   \n|   `-- vx.y.z.md\n|-- cmd\n|   `-- lambda\n|       `-- main.go       \u003c- AWS Lambda handler's definition\n`-- example               \u003c- (optional) terraform example to provision resources to rotate \"Secret User\" secret\n```\n\n## Contribution\n\nThe codebase is distributed under the [MIT license](LICENSE). Please feel free to open an issue ticket, or PR to\ncontribute.\n\n## Development\n\n### Requirements\n\n- [go](https://go.dev) ~\u003e 1.19\n- [gnuMake](https://www.gnu.org/software/make/)\n\n### Commands\n\nRun to see available commands:\n\n```commandline\nmake help\n```\n\nRun to test the `lambda` module:\n\n```commandline\nmake tests\n```\n\nRun to test a plugin module:\n\n```commandline\nmake test-plugin PLUGIN=##name-of-the-plugin##\n```\n\nFor example, to run unit tests for the Neon plugin:\n\n```commandline\nmake test-plugin PLUGIN=neon\n```\n\nRun to build lambda binary for selected plugin:\n\n```commandline\nmake build PLUGIN=##name-of-the-plugin##\n```\n\nFor example, to run unit tests for the Neon plugin:\n\n```commandline\nmake build PLUGIN=neon\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkislerdm%2Faws-lambda-secret-rotation","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fkislerdm%2Faws-lambda-secret-rotation","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkislerdm%2Faws-lambda-secret-rotation/lists"}