Ability to specify certificate when establishing TLS connection

[0xjjoyy]

When requiring TLS connections to a DB instance there is a certificate available to verify the connection.

Asking for the ability to configure the Lambda to specify the regional certificate when creating the rotation Lambda from the serverless repo.

Example of the the parameters used when establishing the connection can be found here.

[StevenEmelander]

Thanks for reaching out. Supporting SSL connections to DB's is in our backlog and we hope to deliver that in a future release. Until then you can get this working manually by doing the following edits to your lambda:

[StevenEmelander]

1. Open the Lambda function responsible for rotation of that secret. You can find the arn in the Secrets Manager console under the Rotation Configuration section.
2. Download the latest RDS CA Bundle here - https://s3.amazonaws.com/rds-downloads/rds-combined-ca-bundle.pem and add that file to the Lambda (keep the same name rds-combined-ca-bundle.pem, and don't put it in a directory).
3. Change the line that has "pymysql.connect" in lambda_function.py to be: conn = pymysql.connect(secret_dict['host'], user=secret_dict['username'], passwd=secret_dict['password'], port=port, db=dbname, connect_timeout=5, ssl={'ca': './rds-combined-ca-bundle.pem'})
4. Go back to the Secrets Manager console and click "Rotate secret immediately" and it will kick off rotation again and it should work this time.

[heri16]

I got this same issue with Postgres Aurora with force_ssl=1. Over a year of no activity/progress on this just makes it hard to recommend AWS SecretsManager.

[mccamca]

The recommended solution doesn't work, because the version of FreeTDS included with pymssql 2.1.1 does not support SSL. Pretty weak that two years later this still hasn't been fixed. An no mention of it in the official AWS docs for configuring secrets rotation against an RDS db.

[cxystras]

There is already a KB article on this here but it is for custom lambda functions or ones that are not managed by an automation. Can AWS see this and push for a fix? Recommended steps are (from-the-top-of-my-head):

• add the ca cert file in the function's file (can even have an S3 pull one-liner - its size is 43KB)
• add a second connection string for SSL-enabled connections
• add an IF condition for enabling the proper connection string according to SSL flag

[mccamca]

I haven't tried this yet, but I received some support on this issue and here is what is suggested:

The issue is related to the pymssql version (2.1.1) that's being used. This issue is fixed in the version 2.2.0. The following are the steps to rebuild the lambda function that's used for the secret rotation. (Alternatively, the attachments python.zip for the lambda layer and lambda_function.zip could be used) python.zip lambda_function.zip

1. Create an EC2 machine with Amazon Linux 2 with access to the internet (public).

2. Make a directory/folder projects & projects/python. You can name the folders accordingly as per your preference.

mkdir projects projects/python

3. Change the working directory.

cd projects/python

4. Copy/Install files into the above working directory for pymssql using pip3.

pip3 install pymssql -t ./

5. Compress the files.

zip -r python.zip .

6. Create a lambda layer by uploading the above compressed file (python.zip).

7. Download the current lambda function (lambda_function.zip could be used) and just zip the lambda_function.py (Exclude everything else).

8. Upload the function (lambda_function.zip).

9. Add the lambda layer created to the lambda_function.

[cxystras]

Agreed on the workaround and thank you for sharing. However, my comment goes to AWS to add some leverage on fixing the lambdas and save us the maintainability issues/work and for all the engines too.

[crogers-rhino]

any progress on this?

[bhchew]

Hitting the same wall, asking AWS support for ETA on the fix in SAR and will update here

[Steven-N]

I suppose this announcement resolves this issue?

https://aws.amazon.com/about-aws/whats-new/2021/12/aws-secrets-manager-enables-ssl-connections-rotating-database/

:)

[frugecn]

Though, it doesn't look like the merge to master has happened yet. PR is still out there awaiting final approval.

[JoeJesse]

Yes, SSL/TLS support for rotation has been has been launched and code has been merged in. Please refer to the documentation for setting up rotation and upgrading existing rotation configuration to use SSL connections.

Closing issue.