aws-secrets-manager-rotation-lambdas
aws-secrets-manager-rotation-lambdas copied to clipboard
Ability to specify password length/specific characters to exclude
We've had some issues with some characters that are not excluded on mariadb. We are excluding the following: '%{}`/@"'\'
It would be nice if that was configurable. It would also be nice if we could somehow configure the random password length.
Thanks!
The behavior you're describing can be configured today.
In the rotation lambda, you can configure what characters you want to exclude here - https://github.com/aws-samples/aws-secrets-manager-rotation-lambdas/blob/master/SecretsManagerRDSMariaDBRotationSingleUser/lambda_function.py#L116 .
You can also specify a random password length. Here is the documentation of the GetRandomPassword api to do so - https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_GetRandomPassword.html
The behavior you're describing can be configured today.
In the rotation lambda, you can configure what characters you want to exclude here - https://github.com/aws-samples/aws-secrets-manager-rotation-lambdas/blob/master/SecretsManagerRDSMariaDBRotationSingleUser/lambda_function.py#L116 .
But in the line you've linked to, the excluded characters are hard coded, not configurable via a parameter. In the context of using this as a Serverless Application Repository application, modifying the source code is not a solution. It should be possible to supply an additional parameter the same way endpoint_url
is provided, to control the excluded characters.
it looks like #32 addressed this when you're deploying separate rotators for each set of password requirements, but that doesn't solve the issue very generally. Would it be acceptable to add an optional member to the secret object matching the arguments to GetRandomPassword?
e.g.:
{
"engine": "postgres",
"username": "rotatingUser",
...
"generation": {
"ExcludePunctuation": true,
"PasswordLength": 30
}
}
For the password length issue, please reference this issue. We'll be updating it shortly and want to keep all relevant info in one place since we have multiple requests for this feature.
Having the password generation parameters as part of the secret map is something we can look into, and we will keep this issue updated.
maybe it should handle all parameters https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-secretsmanager-secret-generatesecretstring.html