for every user on IAM must create a secret in Secret Manager before run the lambda ? it is an essential requirement. or the secret is automatically created by the function for new iam users found ?
Thank you it worked. Just in case, do you have lambda function for notification users via email about new access and secret keys? I mean as soon as access key changed user will get an email with new keys. Thank you!
Sir. I am confused. What if I don't have any of my users keys existing in Secrets Manager yet? I would have to add all their keys to secrets manager before I run this?
Hi @Borrowed Cloud, can you make this process to create new access key on 90 days, then on 100 days, it can make the old access keys "INACTIVE", then on 110 days it can "DELETE" the inactive keys?
Thank you for this. But this still has the concern of having credentials laying around to be stolen. So a safer solution used by enterprises is to dynamically create credentials that are only good for a few hours.
Please elaborate on your statement "But this still has the concern of having credentials laying around to be stolen.", when we are storing these keys in AWS Secrets Manager and access to the secret is controlled via IAM policies assigned to IAM users.
For Access denied Issue .. in Roles page u can see lambda function which u created then u need to add SecretsManagerReadWrite and IAMKeyRotation_Policy.then issue will be resolved.
@@BorrowedCloud CLI users are Command Line users. The question is: One key renewal occurs how to the access and secret access keys get passed to the end user or app. If AWS CLI tools are used, does the config or credentials file(s) need to point to Secrets Manager as a repository for their secret and access keys?
Add all secret names (one secret for one IAM user) in a file and upload it to the S3 bucket. In Lambda, open the file in a for loop and implement the logic I've explained in the video.
Go thorugh this video - ruclips.net/video/8_ZGJKsBtvw/видео.html&ab_channel=BorrowedCloud. I've provided a CloudFormation template which you can readily use in your environment.
As I said in the video, many customers have strict requirements to inactivate the keys after a period. For security reason, they have to inactivate the keys even if those are being used by few external apps. What you can do is create an EventBridge to run 5 days prior to key inactivation to send email to those teams to be ready to change the keys 5 days after. You can have multiple EventBridge rules to send reminders until the key inactivation day is reached.
I got this error while executing the script. Can you please have a look and provide me with solution { "errorMessage": "An error occurred (ValidationException) when calling the GetSecretValue operation: Invalid name. Must be a valid name containing alphanumeric characters, or any of the following: -/_+=.@!", "errorType": "ClientError", "requestId": "e2d3e06d-2b69-40ba-b1f7-c6fcc049c0a5", "stackTrace": [ " File \"/var/task/lambda_function.py\", line 14, in lambda_handler get_secret = secretsmanager.get_secret_value(SecretId=secret) ", " File \"/var/runtime/botocore/client.py\", line 391, in _api_call return self._make_api_call(operation_name, kwargs) ", " File \"/var/runtime/botocore/client.py\", line 719, in _make_api_call raise error_class(parsed_response, operation_name) " ] }
You must be missing a step... Go through ruclips.net/video/8_ZGJKsBtvw/видео.html&lc=UgyBVC5XxyEGoPkXELN4AaABAg&ab_channel=BorrowedCloud where I've given the CloudFormation stack for implementing this feature.
{ "errorMessage": "'action'", "errorType": "KeyError", "requestId": "056c4613-a7e9-4f62-b016-502200fc777f", "stackTrace": [ " File \"/var/task/lambda_function.py\", line 108, in lambda_handler faction=event [\"action\"] " ] } Got this error after attaching the role
Go thorugh this video - ruclips.net/video/8_ZGJKsBtvw/видео.html&ab_channel=BorrowedCloud. I've provided a CloudFormation template which you can readily use in your environment.
for every user on IAM must create a secret in Secret Manager before run the lambda ? it is an essential requirement. or the secret is automatically created by the function for new iam users found ?
If any user having only one access key and we rotate the same using lambda, how will they fetch the key details from aws secret manager?
the video was helpfull thanks bro
Thank you it worked. Just in case, do you have lambda function for notification users via email about new access and secret keys? I mean as soon as access key changed user will get an email with new keys. Thank you!
Check out this video - ruclips.net/video/8_ZGJKsBtvw/видео.html&ab_channel=BorrowedCloud
Sir. I am confused. What if I don't have any of my users keys existing in Secrets Manager yet? I would have to add all their keys to secrets manager before I run this?
Yes, this implementation is driven from the AWS Secret Manager service, hence you must have secret created before it is implemented.
Looks great..adding to this my requirement is to update this newly created keys in gitlab variable ,can you please help on this..thank you
You can try using APIs for updating new keys in GitHub.
Great it works as explained .. thanks
Hi @Borrowed Cloud, can you make this process to create new access key on 90 days, then on 100 days, it can make the old access keys "INACTIVE", then on 110 days it can "DELETE" the inactive keys?
Try using Amazon EventBridge to implement it.
@@BorrowedCloud once it create new access key, it will automatically deactivate the old ones.
thank you
This really good
It is very nice sir
can i get your contact details sir
You can submit your query on the channel email address.
Thank you for this. But this still has the concern of having credentials laying around to be stolen. So a safer solution used by enterprises is to dynamically create credentials that are only good for a few hours.
Please elaborate on your statement "But this still has the concern of having credentials laying around to be stolen.", when we are storing these keys in AWS Secrets Manager and access to the secret is controlled via IAM policies assigned to IAM users.
Thanks ..working fine for me ..
For Access denied Issue .. in Roles page u can see lambda function which u created then u need to add SecretsManagerReadWrite and IAMKeyRotation_Policy.then issue will be resolved.
Check out this vodeo which has template for implementing this feature - ruclips.net/video/8_ZGJKsBtvw/видео.html&ab_channel=BorrowedCloud
Thank you, it worked
How this can be achieved for multiple users in an AWS account
Create one secret for every user you want to rotate keys for.
The only question I have is: How are the new keys or secrets disseminated to users? i.e. AWS CLI users
What do you mean by CLI users? SNS topic will send a notification to the subscribed users.
@@BorrowedCloud CLI users are Command Line users.
The question is: One key renewal occurs how to the access and secret access keys get passed to the end user or app. If AWS CLI tools are used, does the config or credentials file(s) need to point to Secrets Manager as a repository for their secret and access keys?
How to do it with S3 bucket for multiple users?
Add all secret names (one secret for one IAM user) in a file and upload it to the S3 bucket. In Lambda, open the file in a for loop and implement the logic I've explained in the video.
@@BorrowedCloud I'm looking for the syntax and where to insert it.
@@manoharguri9351 it is not covered in my code. I gave you a direction to modify it for your requirement.
Getting below error
{
"errorMessage": "Handler 'lambda_handler' missing on module 'lambda_function'",
"errorType": "Runtime.HandlerNotFound",
"stackTrace": [ ]
}
Check out this video which has templates for implementation of this feature - ruclips.net/video/8_ZGJKsBtvw/видео.html&ab_channel=BorrowedCloud
@@BorrowedCloud I am new to AWS can you help me with implemetation on live .can you shared your number so can call you
I am getting access denied exception when calling get secret value operation
Check the permissions you have given in the policy attached to your IAM role.
Go thorugh this video - ruclips.net/video/8_ZGJKsBtvw/видео.html&ab_channel=BorrowedCloud. I've provided a CloudFormation template which you can readily use in your environment.
{ "statusCode": 200, "body": "\"Hello from Lambda!\"" }
Is there any question?
Logic is wrong, if you make inactive first, what if the keys are using in external application like any on-prem servers, Dc servers
As I said in the video, many customers have strict requirements to inactivate the keys after a period. For security reason, they have to inactivate the keys even if those are being used by few external apps.
What you can do is create an EventBridge to run 5 days prior to key inactivation to send email to those teams to be ready to change the keys 5 days after. You can have multiple EventBridge rules to send reminders until the key inactivation day is reached.
@@BorrowedCloud yep
@@BorrowedCloud What you have explained is good. But could you pls breif enough to create an Event Bridge and SNS
Hye Dear,
I got this error while executing the script. Can you please have a look and provide me with solution
{
"errorMessage": "An error occurred (ValidationException) when calling the GetSecretValue operation: Invalid name. Must be a valid name containing alphanumeric characters, or any of the following: -/_+=.@!",
"errorType": "ClientError",
"requestId": "e2d3e06d-2b69-40ba-b1f7-c6fcc049c0a5",
"stackTrace": [
" File \"/var/task/lambda_function.py\", line 14, in lambda_handler
get_secret = secretsmanager.get_secret_value(SecretId=secret)
",
" File \"/var/runtime/botocore/client.py\", line 391, in _api_call
return self._make_api_call(operation_name, kwargs)
",
" File \"/var/runtime/botocore/client.py\", line 719, in _make_api_call
raise error_class(parsed_response, operation_name)
"
]
}
Response
{
"errorMessage": "'NoneType' object has no attribute 'split'",
"errorType": "AttributeError",
"stackTrace": [
" File \"/var/task/lambda_function.py\", line 11, in lambda_handler
secret_list = vsecret.split(';')
"
]
}
You must be missing a step... Go through ruclips.net/video/8_ZGJKsBtvw/видео.html&lc=UgyBVC5XxyEGoPkXELN4AaABAg&ab_channel=BorrowedCloud where I've given the CloudFormation stack for implementing this feature.
{
"errorMessage": "'action'",
"errorType": "KeyError",
"requestId": "056c4613-a7e9-4f62-b016-502200fc777f",
"stackTrace": [
" File \"/var/task/lambda_function.py\", line 108, in lambda_handler
faction=event [\"action\"]
"
]
}
Got this error after attaching the role
Follow all steps in the given order.
Go thorugh this video - ruclips.net/video/8_ZGJKsBtvw/видео.html&ab_channel=BorrowedCloud. I've provided a CloudFormation template which you can readily use in your environment.