aws-secrets-manager-rotation-lambdas icon indicating copy to clipboard operation
aws-secrets-manager-rotation-lambdas copied to clipboard

Published 20 hours ago verified publisher icon aws-samples

Ability to specify password length/specific characters to exclude

Open colin-teamcmp opened this issue 5 years ago • 5 comments

We've had some issues with some characters that are not excluded on mariadb. We are excluding the following: '%{}`/@"'\'

It would be nice if that was configurable. It would also be nice if we could somehow configure the random password length.

Thanks!

colin-teamcmp avatar Aug 07 '19 14:08 colin-teamcmp

The behavior you're describing can be configured today.

In the rotation lambda, you can configure what characters you want to exclude here - https://github.com/aws-samples/aws-secrets-manager-rotation-lambdas/blob/master/SecretsManagerRDSMariaDBRotationSingleUser/lambda_function.py#L116 .

You can also specify a random password length. Here is the documentation of the GetRandomPassword api to do so - https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_GetRandomPassword.html

lasred avatar Oct 23 '19 22:10 lasred

The behavior you're describing can be configured today.

In the rotation lambda, you can configure what characters you want to exclude here - https://github.com/aws-samples/aws-secrets-manager-rotation-lambdas/blob/master/SecretsManagerRDSMariaDBRotationSingleUser/lambda_function.py#L116 .

But in the line you've linked to, the excluded characters are hard coded, not configurable via a parameter. In the context of using this as a Serverless Application Repository application, modifying the source code is not a solution. It should be possible to supply an additional parameter the same way endpoint_url is provided, to control the excluded characters.

bobobox avatar Jan 02 '20 17:01 bobobox

it looks like #32 addressed this when you're deploying separate rotators for each set of password requirements, but that doesn't solve the issue very generally. Would it be acceptable to add an optional member to the secret object matching the arguments to GetRandomPassword?

e.g.:

{
  "engine": "postgres",
  "username": "rotatingUser",
  ...
  "generation": {
    "ExcludePunctuation": true,
    "PasswordLength": 30
  }
}

hauntingEcho avatar Sep 15 '20 21:09 hauntingEcho

For the password length issue, please reference this issue. We'll be updating it shortly and want to keep all relevant info in one place since we have multiple requests for this feature.

Having the password generation parameters as part of the secret map is something we can look into, and we will keep this issue updated.

eddielou avatar Jan 15 '21 03:01 eddielou

maybe it should handle all parameters https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-secretsmanager-secret-generatesecretstring.html

florentcuret avatar Feb 12 '21 08:02 florentcuret