copilot-cli icon indicating copy to clipboard operation
copilot-cli copied to clipboard
verified publisher icon aws

Getting db credentials from the application after secret rotation

Open yasinkayade opened this issue 3 years ago • 4 comments

Hi,

We use copilot to deploy our spring boot application on aws ecs and need to rotate the db credentials located in secretsmanager. AFAIK, the application can access to db with now-stale credentials after secret rotation. Is it possible that the app can do it until restart or redeploy? Manifest.yml file of copilot is like:

secrets: --DB_USERNAME: ----secretsmanager: 'demo/test/mysql:username::' --DB_PASSWORD: ----secretsmanager: 'demo/test/mysql:password::'

Or do we need to use aws-secretsmanager-jdbc dependency?

yasinkayade avatar Jul 04 '22 16:07 yasinkayade

Hey @yasinkayade!😊

AFAIK, the application can access to db with now-stale credentials after secret rotation

Are you saying that you've rotated credentials already and the app still has access to the database?

When you rotate credentials in secrets manager, your container won't get the new values until the task is relaunched. You can do this by running copilot svc deploy --force, which will restart your container and deploy a new task definition that will get the new secret values.

dannyrandall avatar Jul 05 '22 23:07 dannyrandall

Hi @dannyrandall,

no I did not rotate the credentials yet. My question is that is it possible that the application can access to db with now-stale credentials after secret rotation until restart or redeploy? Otherwise we have to run the script after each rotation and it would be not comfortable.

yasinkayade avatar Jul 06 '22 06:07 yasinkayade

Gotcha! I think it depends on which database engine you're using and what rotation strategy you use in secrets manager. If you don't want the application to lose access until you can update it to use new credentials, you could use the Alternating users rotation strategy.

Another option is to use the Single user rotation strategy, and have the application get the current secret value using the AWS SDK. This is what the aws-secretsmanager-jdbc dependency does for you - caches the current value of the secret and refreshes the value when the credentials are updated. (more info)

That's some background information ⬆️ , but based on what you're asking, it sounds like the solution that may work best for you is to use the Single user rotation strategy in secrets manager and use the aws-secretsmanager-jdbc dependency to automatically update the value of the secrets when they rotate so that your application doesn't lose access to the DB, and you don't have to worry about restarting or redeploying the application.

dannyrandall avatar Jul 06 '22 17:07 dannyrandall

This issue is stale because it has been open 60 days with no response activity, and is tagged with pending/question. Remove the stale label, add a comment, or this will be closed in 14 days.

github-actions[bot] avatar Oct 02 '22 00:10 github-actions[bot]

This issue is closed due to inactivity. Feel free to reopen the issue if you have any follow-ups!

github-actions[bot] avatar Oct 17 '22 00:10 github-actions[bot]