aws-secrets-manager-rotation-lambdas icon indicating copy to clipboard operation
aws-secrets-manager-rotation-lambdas copied to clipboard

Published 20 hours ago verified publisher icon aws-samples

Postgres Multi User Rotation does not preserve grants

Open thekevinbrown opened this issue 4 years ago • 1 comments

From: https://forums.aws.amazon.com/thread.jspa?threadID=322708

  1. We create an environment and apply a bunch of grants.
  2. A rotation occurs. This copies the grants over to the new user that's created.
  3. We continue to do dev work on the service, granting additional permissions on new tables.
  4. Another rotation occurs. Since the other user already exists, the lambda doesn't try to copy grants over (e.g. it follows the logic in the else here: https://github.com/aws-samples/aws-secrets-manager-rotation-lambdas/blob/master/SecretsManagerRDSPostgreSQLRotationMultiUser/lambda_function.py#L194)
  5. At this point, the grants applied as part of #3 aren't there, and we get permission denied errors.

thekevinbrown avatar Jun 05 '20 05:06 thekevinbrown

I believe this issue goes much deeper than just the grants from the users, I have noticed it breaking our services due to permission errors for schemas created by user2 and not being to be accessible for user1

Have opened this: https://github.com/aws-samples/aws-secrets-manager-rotation-lambdas/issues/56

jweilhammer avatar May 13 '21 18:05 jweilhammer

We have addressed this issue with updating the documentation on when to use single or Multi User rotation strategy.

goyalya avatar May 22 '23 19:05 goyalya