Skip to content

Rotate Secret

secretsmanager_rotate_secret R Documentation

Configures and starts the asynchronous process of rotating the secret

Description

Configures and starts the asynchronous process of rotating the secret. For information about rotation, see Rotate secrets in the Secrets Manager User Guide. If you include the configuration parameters, the operation sets the values for the secret and then immediately starts a rotation. If you don't include the configuration parameters, the operation starts a rotation with the values already stored in the secret.

When rotation is successful, the AWSPENDING staging label might be attached to the same version as the AWSCURRENT version, or it might not be attached to any version. If the AWSPENDING staging label is present but not attached to the same version as AWSCURRENT, then any later invocation of rotate_secret assumes that a previous rotation request is still in progress and returns an error. When rotation is unsuccessful, the AWSPENDING staging label might be attached to an empty secret version. For more information, see Troubleshoot rotation in the Secrets Manager User Guide.

Secrets Manager generates a CloudTrail log entry when you call this action. Do not include sensitive information in request parameters because it might be logged. For more information, see Logging Secrets Manager events with CloudTrail.

Required permissions: secretsmanager:RotateSecret. For more information, see IAM policy actions for Secrets Manager and Authentication and access control in Secrets Manager. You also need lambda:InvokeFunction permissions on the rotation function. For more information, see Permissions for rotation.

Usage

secretsmanager_rotate_secret(SecretId, ClientRequestToken,
  RotationLambdaARN, RotationRules, RotateImmediately)

Arguments

SecretId

[required] The ARN or name of the secret to rotate.

For an ARN, we recommend that you specify a complete ARN rather than a partial ARN. See Finding a secret from a partial ARN.

ClientRequestToken

A unique identifier for the new version of the secret. You only need to specify this value if you implement your own retry logic and you want to ensure that Secrets Manager doesn't attempt to create a secret version twice.

If you use the Amazon Web Services CLI or one of the Amazon Web Services SDKs to call this operation, then you can leave this parameter empty. The CLI or SDK generates a random UUID for you and includes it as the value for this parameter in the request.

If you generate a raw HTTP request to the Secrets Manager service endpoint, then you must generate a ClientRequestToken and include it in the request.

This value helps ensure idempotency. Secrets Manager uses this value to prevent the accidental creation of duplicate versions if there are failures and retries during a rotation. We recommend that you generate a UUID-type value to ensure uniqueness of your versions within the specified secret.

RotationLambdaARN

For secrets that use a Lambda rotation function to rotate, the ARN of the Lambda rotation function.

For secrets that use managed rotation, omit this field. For more information, see Managed rotation in the Secrets Manager User Guide.

RotationRules

A structure that defines the rotation configuration for this secret.

RotateImmediately

Specifies whether to rotate the secret immediately or wait until the next scheduled rotation window. The rotation schedule is defined in RotateSecretRequest$RotationRules.

For secrets that use a Lambda rotation function to rotate, if you don't immediately rotate the secret, Secrets Manager tests the rotation configuration by running the testSecret step of the Lambda rotation function. The test creates an AWSPENDING version of the secret and then removes it.

By default, Secrets Manager rotates the secret immediately.

Value

A list with the following syntax: 

list(
  ARN = "string",
  Name = "string",
  VersionId = "string"
)

Request syntax

svc$rotate_secret(
  SecretId = "string",
  ClientRequestToken = "string",
  RotationLambdaARN = "string",
  RotationRules = list(
    AutomaticallyAfterDays = 123,
    Duration = "string",
    ScheduleExpression = "string"
  ),
  RotateImmediately = TRUE|FALSE
)

Examples

## Not run: 
# The following example configures rotation for a secret using a cron
# expression. The first rotation happens immediately after the changes are
# stored in the secret. The rotation schedule is the first and 15th day of
# every month. The rotation window begins at 4:00 PM UTC and ends at 6:00
# PM.
svc$rotate_secret(
  RotationLambdaARN = "arn:aws:lambda:us-west-2:123456789012:function:MyTes...",
  RotationRules = list(
    Duration = "2h",
    ScheduleExpression = "cron(0 16 1,15 * ? *)"
  ),
  SecretId = "MyTestDatabaseSecret"
)

# The following example requests an immediate invocation of the secret's
# Lambda rotation function. It assumes that the specified secret already
# has rotation configured. The rotation function runs asynchronously in
# the background.
svc$rotate_secret(
  SecretId = "MyTestDatabaseSecret"
)

## End(Not run)