The InfluxDB Single and Multi-user Secret Rotation Lambdas enables the automatic rotation for users and tokens with Timestream for InfluxDB. The Multi-user rotation lambda uses an admin authenticated session to rotate another token credentials. The Single-user rotation lambda rotates their own authenticated session to update a user password with a new random password.
InfluxDB best practice for access management is to use users to create tokens for fine grain access control within an organization. Users permissions are scoped to allAccess within an organization and tokens can have any set of permissions. Use the multi-user variant for managing token rotation and use the single-user variant for rotating user credentials.
The Timestream for InfluxDB endpoint is retrieved through get_db_instance. In the case of the Multi-user rotator the authenticated client performing the rotation is the influxAuthParametersSecretArn that is created on DB initialization.
Validations:
Linting
[x] - Ruff linting
single-user tests
[x] - test existing user
[x] - test re-rotation
[x] - test invalid password
[x] - test non-existent user
[x] - test missing password
[x] - test missing username
[x] - test invalid engine
[x] - test missing engine
[x] - test invalid DB identifier
[x] - test missing DB identifier
multi-user tests
[x] - test failure to create operator token with auth environment variable set to True
[x] - test failure to create operator token with auth environment variable set to False
[x] - test failure to create allAccess token with auth environment variable set to False
[x] - test failure to create custom token with auth environment variable set to False
[x] - test success to create allAccess token with auth environment variable set to True
[x] - test on successful rotation that old token value is deleted
[x] - test success to create custom token with auth environment variable set to True
[x] - test failure to create custom token without any permissions defined in secret
[x] - test custom token has correct permissions - 2 sets of write/read buckets and 2 permissions
[x] - test success rotation of allAccess token
[x] - test success rotation of custom token
[x] - test success rotation of operator token
[x] - test failure with missing org
[x] - test failure with invalid org
[x] - test failure with invalid DB identifier
[x] - test failure with missing DB identifier
[x] - test failure with invalid engine
[x] - test failure with missing engine
[x] - test failure with invalid token value
[x] - test failure with invalid token type
[x] - test failure with missing token type
By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.
Issue #, if available:
N/A
Description of changes:
The InfluxDB Single and Multi-user Secret Rotation Lambdas enables the automatic rotation for users and tokens with
Timestream for InfluxDB. The Multi-user rotation lambda uses an admin authenticated session to rotate another token credentials. The Single-user rotation lambda rotates their own authenticated session to update a user password with a new random password.InfluxDB best practice for access management is to use users to create tokens for fine grain access control within an organization. Users permissions are scoped to
allAccesswithin an organization and tokens can have any set of permissions. Use the multi-user variant for managing token rotation and use the single-user variant for rotating user credentials.The
Timestream for InfluxDBendpoint is retrieved through get_db_instance. In the case of the Multi-user rotator the authenticated client performing the rotation is the influxAuthParametersSecretArn that is created on DB initialization.Validations:
Linting
single-user tests
multi-user tests
By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.