Categorygithub.com/square/password-rotation-lambda
modulepackage
1.0.1
Repository: https://github.com/square/password-rotation-lambda.git
Documentation: pkg.go.dev
Overview
Versions
2
Dependencies
16
Dependents
1
Files
674 SLOC

# README

Password Rotation Lambda

password-rotation-lambda is an AWS Lambda function (in Go) that rotates database passwords using AWS Secrets Manager. Currently, it supports RDS for MySQL.

This package handles the four Secrets Manager rotation steps and database-specific password setting. Currently, it only supports RDS for MySQL. Your main.go imports this packages (which exports itself as rotate for short) and provides AWS sessions/clients and a SecretSetter to decode your secret string.

package main

import (
	"log"

	"github.com/aws/aws-lambda-go/lambda"
	"github.com/aws/aws-sdk-go/aws/session"
	"github.com/aws/aws-sdk-go/service/rds"
	"github.com/aws/aws-sdk-go/service/secretsmanager"

	"github.com/square/password-rotation-lambda"
	"github.com/square/password-rotation-lambda/db/mysql"
)

func main() {
	// Start AWS session using env vars automatically set by Lambda
	sess, err := session.NewSession()
	if err != nil {
		log.Fatalf("error making AWS session: %s", err)
	}

	// Make password setter for MySQL (RDS)
	ps := mysql.NewPasswordSetter(mysql.Config{
		RDSClient: rds.New(sess),                   // RDS API client
		DbClient:  mysql.NewRDSClient(true, false), // RDS MySQL cilent (true=TLS, false=dry run)
	})

	// Make Rotator which is the Lambda function/handler
	r := rotate.NewRotator(rotate.Config{
		SecretsManager: secretsmanager.New(sess),
		PasswordSetter: ps,
	})

	// Run Rotator in Lambda, waiting for events from Secrets Manager
	lambda.Start(r.Handler)
}

More docs and examples to come.

# Packages

No description provided by the author
No description provided by the author
No description provided by the author

# Functions

InvokedBySecretsManager returns true if the event is from Secrets Manager.
NewRotator creates a new Rotator.

# Constants

No description provided by the author
No description provided by the author
password character length for RandomPassword.
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author

# Variables

Debug enables debug output to STDERR.
DebugSecret IS DANGEROUS: it prints secret values to STDERR when Debug is enabled.
ErrInvalidStep is returned if the "Step" value in the Secrets Manager event is not one of "createSecret", "setSecret", "testSecret", or "finishSecret".

# Structs

Config represents the user-provided configuration for a Rotator.
Event is an important event during the four-step Secrets Manager rotation process.
NullEventReceiver is the default EventReceiver if none is provided in the Config.
RandomPassword is the default SecretSetter used by Rotator is none is specified in the Config.
Rotator is the AWS Lambda function and handler.

# Interfaces

EventReceiver receives events from a Rotator during the four-step Secrets Manager rotation process.
SecretSetter manages the user-specific secret value.