Open PreranaAmirapu opened 1 month ago
Hey @PreranaAmirapu , thanks for reaching out.
Here is a doc explaining variations of cron expressions - https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotate-secrets_schedule.html#rotate-secrets_schedule-cron
I ran the below code and it added lambda successfully -
# a sample rotation lambda for secret rotation
rotation_lambda = aws_lambda.Function(
self, "RotationLambda",
runtime=aws_lambda.Runtime.PYTHON_3_8,
handler="index.handler",
code=aws_lambda.Code.from_inline("def handler(event, context): return 'Hello, CDK!';"),
)
rotation_lambda.add_permission("SecretRotationPermission",
principal= iam.ServicePrincipal("secretsmanager.amazonaws.com"),
action="lambda:InvokeFunction",
source_arn="arn:aws:secretsmanager:us-east-1:111111111111:secret:testSecret-rn4rW4",
)
cfn_rotation_schedule = secretmanager.CfnRotationSchedule(
self, "RotationSchedule",
secret_id="arn:aws:secretsmanager:us-east-1:111111111111:secret:testSecret-rn4rW4",
rotation_lambda_arn=rotation_lambda.function_arn,
rotation_rules=secretmanager.CfnRotationSchedule.RotationRulesProperty(
schedule_expression="cron(0 8 ? * SUN *)",
)
)
Here is a snapshot of this being attached-
Let us know if this works!
my code:
rotate_delegates_function.add_permission(
"SecretRotationPermission",
principal=iam.ServicePrincipal("secretsmanager.amazonaws.com"),
action="lambda:InvokeFunction",
source_arn=self.harness_secret.secret_arn,
)
secretsmanager.CfnRotationSchedule(
self, "RotationSchedule",
secret_id=self.harness_secret.secret_arn,
rotation_lambda_arn=rotate_delegates_function.function_arn,
rotation_rules=secretsmanager.CfnRotationSchedule.RotationRulesProperty(
schedule_expression="cron(0 12 ? * SUN *)",
)
)
error: Secrets Manager cannot invoke the specified Lambda function. Ensure that the function policy grants access to the principal secretsmanager.amaz onaws.com. (Service: AWSSecretsManager; Status Code: 400; Error Code: AccessDeniedException; Request ID: 63a6dea7-0f5c-4294-8db9-8ff9652d85d9; Proxy: null)
even though I have added the above permission , it is not applying
the permission is added I guess
@PreranaAmirapu , so looks like the code is working ? right ?
I'm getting this error Secrets Manager cannot invoke the specified Lambda function. Ensure that the function policy grants access to the principal secretsmanager.amaz onaws.com. (Service: AWSSecretsManager; Status Code: 400; Error Code: AccessDeniedException; Request ID: 63a6dea7-0f5c-4294-8db9-8ff9652d85d9; Proxy: null)
@PreranaAmirapu , this error only indicates that function policy needs to be added which is added in the given code. These are the alternatives you could try -
aws lambda add-permission
--function-name secrets_manager
--principal secretsmanager.amazonaws.com
--action lambda:InvokeFunction
--statement-id SecretsManagerAccess
Replace function name with your lambda function name.
Let me know if this works
Describe the bug
this is the code I have written where it rotates after 7 days , but i want my secret to rotate on sunday only. I have tried below code but it is not working
Expected Behavior
rotate on every sunday
Current Behavior
it is not throwing error but the lambda is not attaching to the secret
Reproduction Steps
-
Possible Solution
No response
Additional Information/Context
No response
CDK CLI Version
2.147.0
Framework Version
No response
Node.js Version
v22.4.1
OS
mac
Language
Python
Language Version
No response
Other information
No response