Secrets rotation fails for Oracle RDS with SSL or NNE

[smislam]

Based on the documentation, Oracle RDS Secrets rotation for SSL is not supported.

I am testing with Oracle NNE (with endpoints for both Secrets Manager and RDS) and getting the following error.

[ERROR] ValueError: Unable to log into database with previous, current, or pending secret of secret arn arn:aws:secretsmanager:REGION:ACCOUNT:secret:MYSECRET

This would be for both Single and Multi user flows. Is there any plans to support RDS Oracle credential rotation with SSL or NNE in near future? If not, do you have any recommendations?

[holomekc]

We have the same issue. After downloading the lambda code and adding some logging I can see:

Connection to db failed: SCRAM authentication requires libpq version 10 or above

Edit: Sorry I misread that you are using Oracle.

[mim-Armand]

Bumping this up! AWS, any feedback or information we can get about this issue?

[jbct]

Thanks for the report. We are looking into upgrading some of the dependencies in order to support Python 3.12 and will look into this as well.

[smislam]

@jbct, Thank you for looking into this.

I wanted to give you more information on this. Please DM me if you need additional info.

For Oracle NNE

The lambda works when you have the following parameters unset or set to 'true' and 'ACCEPTED' respectfully in RDS Options group. However, it is not recommended for security reasons.

'SQLNET.ALLOW_WEAK_CRYPTO_CLIENTS': 'FALSE',
'SQLNET.ENCRYPTION_CLIENT': 'REQUIRED',

For Oracle TLS

The lambda doesn't work.