Auto Rotating RDS & Wordpress Credentials with AWS Secrets & System Manager

Created with Sketch.

Auto Rotating RDS & WordPress Credentials with AWS Secrets & System Manager

Auto rotating credentials with secrets manager enables you to follow AWS security best practices. It allows you to rotate your credentials often to a set schedule in a safe and controlled manner.

With AWS Secrets Manager, you can either rotate the secret for a single user with a single password or rotate by alternating between users. Rotating between users gives higher availability and less risk of connection errors when rotating credentials. In this example however we’re going to rotate a single RDS user used in the wp-config.php file.

Infrastructure Overview

The infrastructure i’ll be using is a common WordPress setup on AWS, EC2 instances in an ASG. Fronted by an ALB using a MySQL RDS instance.

AWS Secrets Manager Infrasructure Overview

Solution Overview

Our desired solution is to have the RDS credentials auto rotate at a set schedule. When this occurs we want the WordPress config to dynamically update. We also want the instances to pull the current password on startup and configure wp-config.php accordingly.

In order to achieve this we need to leverage a few AWS services. Secrets Manager will hold our credentials as well as the set schedule to auto rotate. Secrets Manager uses Lambda to take care of the heavy lifting when rotating the credentials. If using the AWS console to create the secret and setup auto rotation, the Lambda will automatically be created along with the appropriate IAM role. If you’re using Terraform or another Infrastructure as Code mechanism, you’ll need to create these.

System Managers Run Command will be leverage to dynamically update running instances. This is done by modifying the Set Secret stage in the Lambda.

In order for you to run commands via SSM, you’ll need the SSM agent installed on the instances and an IAM role with sufficient permissions attached. You’ll also need to allow Lambda to ssm:SendCommand to initiate the command.

AWS Secrets Manager Solution Overview

Using Systems Managers Run Command to Update WordPress Configuration

Using SSM, you can target which EC2 instances to update using tags. If you only need this solution for a single stack in an AWS account to keep things super simple, you could just put these values in the Lambda itself as an environment variable. However, if you have multiple stacks to update and you wish to reuse a single Lambda you can update the secret value to contain the value to search upon. For example, you could populate the secret to have an additional key. The value of the secret being rotated is passed to the Lambda including our additional key. This can then target specific instances.

  "host"       : "",
  "port"       : "3306",
  "username"   : "administrator",
  "password"   : "[email protected]!F0r+Th3_Acc0unt",
  "dbname"     : "MyDatabase",
  "engine"     : "mysql",
  "stack"      : "foo"
#Additional SSM call in the rotation lambda set_secret stage
ssm = boto3.client('ssm')
command = """rm -f /tmp/wp-config.php.bak; \
             cp /var/www/html/wp-config.php /tmp/wp-config.php.bak;  \
             while IFS= read LINE; do echo "$LINE" | grep -iq DB_PASSWORD; \
             if [ "$?" = "0" ]; then echo 'define("DB_PASSWORD", "%s");'; \
             else echo "$LINE"; fi; done < /tmp/wp-config.php.bak > /var/www/html/wp-config.php""" % pending_dict['password']

response = ssm.send_command(
  Targets=[{ 'Key': 'tag:stack',
             'Values': [<strong>pending_dict['stack']</strong>}],
  Parameters={"commands":[ command ]})

With the above example. When Secrets Manager rotates the secret, all instances with the stack tag of foo will also have their configuration seamlessly updated.


Secrets Manager is the perfect tool for auto rotating passwords. It’s integration with AWS services such as RDS makes it extremely simple to implement. So with little effort you can be automatically rotating your credentials in no time.


No Comments

Add your comment