aws-secrets-manager-rotation-lambdas icon indicating copy to clipboard operation
aws-secrets-manager-rotation-lambdas copied to clipboard
verified publisher icon aws-samples

MySql MultiUser RDS credential rotation causes permission denied on grant

Open seanlogan-wh opened this issue 3 years ago • 0 comments

Hi,

My team is attempting to use the mysql multi user rotation script and running into a permissions issue. The first rotation runs successfully and creates the *_clone user and sets the password correctly. The issue occurs when the second rotation runs.

When this runs, the script will run and get to this point in the script before it fails. https://github.com/aws-samples/aws-secrets-manager-rotation-lambdas/blob/80b407354909519cf4f2d744c2d9dace09b05d39/SecretsManagerRDSMySQLRotationMultiUser/lambda_function.py#L210

The *_clone users attempts to run the query set the grants for the initial user and it fails with a permission denied from the database. The only way we have been able to get this to work is to modify line 210 and add the "WITH GRANT OPTION". Otherwise the script bombs out and fails. Should the _clone user be attempting to modify the grants on the initial user or is there some other configuration we are missing?

cur.execute(new_grant_escaped + " TO %s WITH GRANT OPTION", (pending_dict['username'],))

[ERROR] OperationalError: (1045, "Access denied for user '*_clone'@'%' (using password: YES)") Traceback (most recent call last): File "/var/task/lambda_function.py", line 78, in lambda_handler set_secret(service_client, arn, token) File "/var/task/lambda_function.py", line 210, in set_secret cur.execute(new_grant_escaped + " TO %s", (pending_dict['username'],))

Thanks,

seanlogan-wh avatar Aug 26 '22 16:08 seanlogan-wh