search

aws-samples / aws-secrets-manager-rotation-lambdas

Contains Lambda functions to be used for automatic rotation of secrets stored in AWS Secrets Manager
MIT No Attribution
329 stars 282 forks source link

Getting cryptography' package is required while rotating secrets manager rds password #138

Closed jani4865 closed 7 months ago

jani4865 commented 7 months ago

have installed module also inside the my zip file ,still getting this error

Tried with Python runtime 3.9, 3.11

[ERROR] RuntimeError: 'cryptography' package is required for sha256_password or caching_sha2_password auth methods Traceback (most recent call last): File "/var/task/rdspassword_rotate_lambda.py", line 72, in lambda_handler set_secret(service_client, arn, token) File "/var/task/rdspassword_rotate_lambda.py", line 138, in set_secret conn = get_connection(pending_dict) File "/var/task/rdspassword_rotate_lambda.py", line 302, in get_connection return connect_and_authenticate(secret_dict, port, dbname, False) File "/var/task/rdspassword_rotate_lambda.py", line 362, in connect_and_authenticate conn = pymysql.connect(host=secret_dict['host'], user=secret_dict['username'], password=secret_dict['password'], port=port, database=dbname, connect_timeout=5, ssl=ssl) File "/var/task/pymysql/connections.py", line 358, in init self.connect() File "/var/task/pymysql/connections.py", line 664, in connect self._request_authentication() File "/var/task/pymysql/connections.py", line 968, in _request_authentication auth_packet = self._process_auth(plugin_name, auth_packet) File "/var/task/pymysql/connections.py", line 1003, in _process_auth return _auth.sha256_password_auth(self, auth_packet) File "/var/task/pymysql/_auth.py", line 183, in sha256_password_auth data = sha2_rsa_encrypt(conn.password, conn.salt, conn.server_public_key) File "/var/task/pymysql/_auth.py", line 143, in sha2_rsa_encrypt raise RuntimeError(

jbct commented 7 months ago

Hi jani4865@ - what version of MySQL are you on? I believe this might be related to something in 8.0.34+ where they've deprecated the mysql_native_password authentication plugin: https://dev.mysql.com/doc/refman/8.0/en/native-pluggable-authentication.html

One solution is to include PyMySQL[rsa], but I will mark this as a high priority issue for us to address.

jani4865 commented 7 months ago

Hi @jbct
We are using 8.0.mysql_aurora.3.05.2

jani4865 commented 7 months ago

My lambda deployment alredy has cryptograpy module installed

jani4865 commented 7 months ago

Issue got resolved after installing the cryptography module as below pip install \
--platform manylinux2014_x86_64 \ --target=my-lambda-function \ --implementation cp \ --python-version 3.9 \ --only-binary=:all: --upgrade \ cryptography

benjaminkz commented 7 months ago

@jani4865 Thank you for your information! cryptography package contains complied code, so you need be very careful when using pip to install it. By default, pip will only download and compile the packages for the architecture of the local machine. If the architecture of your local machine is different from AWS Lambda, you might run into dependency errors. To ensure your dependencies work with AWS Lambda, check out our instructions here.

For your specific issue, to use "sha256_password" or "caching_sha2_password" for authentication, you will need to either install cryptography separately, or you can install PyMySQL and cryptography in one command as follow

pip install \    
    --platform manylinux2014_x86_64 \
    --target=my-lambda-function \
    --implementation cp \
    --python-version 3.9 \
    --only-binary=:all: --upgrade \
    'PyMySQL[rsa]'