SqlServer rotation not respecting EXCLUDE_CHARACTERS

aws-samples / aws-secrets-manager-rotation-lambdas

Contains Lambda functions to be used for automatic rotation of secrets stored in AWS Secrets Manager

MIT No Attribution

329 stars 282 forks source link

SqlServer rotation not respecting EXCLUDE_CHARACTERS #133

Closed BlueMaegi closed 9 months ago

BlueMaegi commented 9 months ago

I was sent here from AWS technical support since apparently this issue is out of their "scope". Apologies if this is not something actually wrong with the lambda code.

Our autogenerated lambda function that handles our RDS password rotation for MS SqlServer has stopped factoring in the EXCLUDE_CHARACTERS environment variable.

We have it set to exclude the following characters: /\@"'[]{}%#*

Yet it is consistently generating passwords with those characters included. Like this example (not currently in use):

From the CloudWatch logs it looks like the lambda stopped running entirely sometime in late November 2023, so I'm a bit confused about where the new rotated passwords are even coming from. There are no new rotation lambdas anywhere on our account.

jbct commented 9 months ago

Hi @BlueMaegi - when was this lambda deployed that began causing the issue? I just tried reproducing it myself and it's excluding the characters in a large character length password. Wondering if something else changed the password without the exclusion given this one hasn't ran since Nov 2023.

BlueMaegi commented 9 months ago

The lambda was created in May 2023 and has not been touched since. It was autogenerated the first time we spun up an RDS instance with SecretsManager rotation enabled. We've never "deployed" it from our own code.

My thought was to delete it, and tear down all the associated RDS instances to start from scratch. But we lack knowledge on what drives/creates the rotation lambdas to be sure that such a process would even work.

jirkafajfr commented 9 months ago

Could you please provide us with exact code that the rotation lambda is running?

Steps

Navigate to the secret detail in AWS Secrets Manager console
Select Rotation tab
Click on the link below the Lambda rotation function section
In the Function overview hit the Download button and select Download function code .zip
Extract archive locally and please attach _lambdafunction.py to this issue.

BlueMaegi commented 9 months ago

On the rotation tab, it says the following: "Amazon RDS (rds) manages rotation for this secret, so you don't need to choose a Lambda rotation function."

Regardless, I've attached the file from the autogenerated function, which is probably not running anymore.

lambda_function.txt

jirkafajfr commented 9 months ago

There are actually two distinct concepts:

In your case the secret is rotated by RDS (managed rotation), but you're trying to change parameters of rotation lambda that is not being used (at least for secret you reference here).

jirkafajfr commented 9 months ago

@BlueMaegi the managed rotations doesn't allow user to specify criteria for a random password generation. If you really need control over the characters used in password you'll need to switch your secret to the rotation lambdas (away from managed rotation).

I'll close the ticket now, but feel free to re-open.