Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

SecretsManager: is there feature to set a day of week rather that specifying number #31002

Closed
PreranaAmirapu opened this issue Aug 1, 2024 · 7 comments
Closed

SecretsManager: is there feature to set a day of week rather that specifying number #31002

PreranaAmirapu opened this issue Aug 1, 2024 · 7 comments
Assignees
@khushail
Labels
@aws-cdk/aws-secretsmanager Related to AWS Secrets Manager bug This issue is a bug. closed-for-staleness This issue was automatically closed because it hadn't received any attention in a while. p2 response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days.

Comments

@PreranaAmirapu
Copy link

Describe the bug

    self.harness_secret.add_rotation_schedule(
        "RotationSchedule", rotation_lambda=rotate_delegates_function, automatically_after=Duration.days(7)
    )

this is the code I have written where it rotates after 7 days , but i want my secret to rotate on sunday only. I have tried below code but it is not working

    cfn_rotation_schedule = secretsmanager.CfnRotationSchedule(
        self, "RotationSchedule",
        secret_id=self.example_secret.secret_arn,
        rotation_lambda_arn=rotate_delegates_function.function_arn,
        rotation_rules=secretsmanager.CfnRotationSchedule.RotationRulesProperty(
            schedule_expression="cron(0 12 ? * SUN *)",
        )
    )

Expected Behavior

rotate on every sunday

Current Behavior

  cfn_rotation_schedule = secretsmanager.CfnRotationSchedule(
        self, "RotationSchedule",
        secret_id=self.example_secret.secret_arn,
        rotation_lambda_arn=rotate_delegates_function.function_arn,
        rotation_rules=secretsmanager.CfnRotationSchedule.RotationRulesProperty(
            schedule_expression="cron(0 12 ? * SUN *)",
        )
    )

it is not throwing error but the lambda is not attaching to the secret

Reproduction Steps

Possible Solution

No response

Additional Information/Context

No response

CDK CLI Version

2.147.0

Framework Version

No response

Node.js Version

v22.4.1

OS

mac

Language

Python

Language Version

No response

Other information

No response
@PreranaAmirapu PreranaAmirapu added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Aug 1, 2024
@github-actions github-actions bot added the @aws-cdk/aws-secretsmanager Related to AWS Secrets Manager label Aug 1, 2024
@khushail khushail added investigating This issue is being investigated and/or work is in progress to resolve the issue. and removed needs-triage This issue or PR still needs to be triaged. labels Aug 1, 2024
@khushail khushail self-assigned this Aug 1, 2024
@khushail khushail added the p2 label Aug 1, 2024
@khushail
Copy link
Contributor

khushail commented Aug 1, 2024
edited
Loading

Hey @PreranaAmirapu , thanks for reaching out.

Here is a doc explaining variations of cron expressions - https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotate-secrets_schedule.html#rotate-secrets_schedule-cron

I ran the below code and it added lambda successfully -

        # a sample rotation lambda for secret rotation
        rotation_lambda = aws_lambda.Function(
            self, "RotationLambda",
            runtime=aws_lambda.Runtime.PYTHON_3_8,
            handler="index.handler",
            code=aws_lambda.Code.from_inline("def handler(event, context): return 'Hello, CDK!';"),
        )

        rotation_lambda.add_permission("SecretRotationPermission",
            principal= iam.ServicePrincipal("secretsmanager.amazonaws.com"),
            action="lambda:InvokeFunction",
            source_arn="arn:aws:secretsmanager:us-east-1:111111111111:secret:testSecret-rn4rW4",
        )


        cfn_rotation_schedule = secretmanager.CfnRotationSchedule(
            self, "RotationSchedule",
            secret_id="arn:aws:secretsmanager:us-east-1:111111111111:secret:testSecret-rn4rW4",
            rotation_lambda_arn=rotation_lambda.function_arn,
            rotation_rules=secretmanager.CfnRotationSchedule.RotationRulesProperty(
                schedule_expression="cron(0 8 ? * SUN *)",
            )
        )

Here is a snapshot of this being attached-

Screenshot 2024-08-01 at 1 30 38 PM

Let us know if this works!

@khushail khushail added response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. investigating This issue is being investigated and/or work is in progress to resolve the issue. and removed investigating This issue is being investigated and/or work is in progress to resolve the issue. labels Aug 1, 2024
@PreranaAmirapu
Copy link
Author

PreranaAmirapu commented Aug 2, 2024
edited
Loading

my code:

    rotate_delegates_function.add_permission(
        "SecretRotationPermission",
        principal=iam.ServicePrincipal("secretsmanager.amazonaws.com"),
        action="lambda:InvokeFunction",
        source_arn=self.harness_secret.secret_arn,
    )

    secretsmanager.CfnRotationSchedule(
        self, "RotationSchedule",
        secret_id=self.harness_secret.secret_arn,
        rotation_lambda_arn=rotate_delegates_function.function_arn,
        rotation_rules=secretsmanager.CfnRotationSchedule.RotationRulesProperty(
            schedule_expression="cron(0 12 ? * SUN *)",
        )
    )

error:
Secrets Manager cannot invoke the specified Lambda function. Ensure that the function policy grants access to the principal secretsmanager.amaz
onaws.com. (Service: AWSSecretsManager; Status Code: 400; Error Code: AccessDeniedException; Request ID: 63a6dea7-0f5c-4294-8db9-8ff9652d85d9;
Proxy: null)

even though I have added the above permission , it is not applying

@github-actions github-actions bot removed the response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. label Aug 2, 2024
@PreranaAmirapu
Copy link
Author

Screenshot 2024-08-02 at 9 44 32 PM

the permission is added I guess

@khushail
Copy link
Contributor

khushail commented Aug 2, 2024

@PreranaAmirapu , so looks like the code is working ? right ?

@khushail khushail added the response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. label Aug 2, 2024
@PreranaAmirapu
Copy link
Author

I'm getting this error
Secrets Manager cannot invoke the specified Lambda function. Ensure that the function policy grants access to the principal secretsmanager.amaz
onaws.com. (Service: AWSSecretsManager; Status Code: 400; Error Code: AccessDeniedException; Request ID: 63a6dea7-0f5c-4294-8db9-8ff9652d85d9;
Proxy: null)

@khushail
Copy link
Contributor

khushail commented Aug 2, 2024

@PreranaAmirapu , this error only indicates that function policy needs to be added which is added in the given code.
These are the alternatives you could try -

  1. Could you please specify the complete arn in the Source_Arn, instead of using a reference.
  2. run this command in terminal -
aws lambda add-permission 
          --function-name secrets_manager 
          --principal secretsmanager.amazonaws.com 
          --action lambda:InvokeFunction 
          --statement-id SecretsManagerAccess

Replace function name with your lambda function name.

Let me know if this works

@github-actions github-actions bot removed the response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. label Aug 2, 2024
This was referenced Aug 5, 2024
Closed
Closed
@github-actions github-actions bot mentioned this issue Sep 1, 2024
Closed
@khushail khushail added the response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. label Oct 9, 2024
@github-actions GitHub Actions
Copy link

github-actions bot commented Oct 9, 2024

This issue has not received a response in a while. If you want to keep this issue open, please leave a comment below and auto-close will be canceled.

@github-actions github-actions bot added closing-soon This issue will automatically close in 4 days unless further comments are made. closed-for-staleness This issue was automatically closed because it hadn't received any attention in a while. and removed closing-soon This issue will automatically close in 4 days unless further comments are made. labels Oct 9, 2024
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees

@khushail khushail

Labels
@aws-cdk/aws-secretsmanager Related to AWS Secrets Manager bug This issue is a bug. closed-for-staleness This issue was automatically closed because it hadn't received any attention in a while. p2 response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@PreranaAmirapu @khushail