How to manually rotate or update a parameter
Closed this issue · 2 comments
I am wondering if there is any way to update parameters each time a Cloud Formation template runs or what the options are.
For example, say we have a database such as AWS DocumentDB that requires a master user name and password when creating.
When using cfn-secret-provider
I would generate the secured parameter and store it at Parameter Store
docDbPassword:
Type: Custom::Secret
Properties:
Name: !Ref docDbAdminPassword
Description: DocumentDB password
Alphabet: abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789
Length: 16
ReturnSecret: true
ServiceToken: !Sub arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:binxio-cfn-secret-provider
being able to access now that secret with !GetAtt docDbPassword.Secret
. All great.
If I re-run the cloud formation template I can see the secret is not re-generated.
Is there any recommended approach to manually "rotate" a parameter or to re-generate a new secret and update the database master password, for example, so that every time I run the cloud formation template I can flag Custom::Secret
to overwrite the secret and update the AWS accordingly? Or is that too risky? (I actually don't know if all AWS resources or databases allow updating credentials that way)
PS: this is a great useful tool I have been using for some months, thank you and congrats!
Hi @diegosasw, good to hear you are happy with it! To force an update of the password you can specify the property Version
witg an appropriate value.
I would recommend explicit automated updates of the property at a regular intervals, so that you always know what and why the password refresh is happening.
Fantastic! 👍
I just found that description of Version in the custom secret docs itself. Apologies, I must have missed it before.