You can configure AWS Secrets Manager to automatically rotate the secret (password) for your Amazon DocumentDB cluster. When automatic rotation is selected, AWS Secrets Manager creates a Lambda function which is scheduled to perform the rotation.
The security group attached to the database needs to permit inbound access from the Lambda function that AWS Secrets Manager creates. By default, the Lambda function is assigned the same security group used by your Amazon DocumentDB cluster. You will need to edit your Amazon DocumentDB cluster’s security group to permit inbound connections from itself (from Lambda to the Amazon DocumentDB cluster via the same security group).
(1) Go to the EC2 console and select Security Groups from the left panel.
(2) Select the Security Group name that contains
docDbInbound. Then select Edit inbound rules
(3) Select Add rule, Custom TPC, port
27017, and then select the security group that contains
docDbInbound from the drop-down list.
Your Inbound rules screen should look like the screenshot below with two rules, one allowing AWS Cloud9 access that was created earlier, and the new one permitting inbound access from Amazon DocumentDB to itself which will be used by a AWS Secrets Manager Lambda auto rotation function. Select Save Rules.
(1) Return to the AWS Secrets Manager console, select the secret you stored previously.
(2) Select Retrieve secret value and note the password (it should not have changed since you created the secret).
(3) Scroll down and select Edit Rotation. Then Select Enable automatic rotation, enter a new Lambda function name like
Rotate-DocumentDB-PW and then select Save. It will take a few minutes for Cloud Formation to create resources and the Lambda function. When done an initial first password rotation will take place. Scroll to top of console to see the create status.
Wait a few minutes for the message, “Secret successfully scheduled for rotation” to appear at the top of the page:
(4) Close the Secret value if it is open, and then select Retrieve Secret value. Note the password which was changed when automatic secret rotation was enabled.
(5) Return to the AWS Cloud9 console and run the sample Python code again. It will connect to your Amazon DocumentDB cluster using the newly rotated password stored in AWS Secrets Manager–no application update required.
Congratulations! You were able access your Amazon DocumentDB cluster after its password was changed without making any changes to your Python application.
(6) Optional: You can further test connecting to your cluster using the Mongo shell using the new password.
To get the connection string for your cluster, navigate to the Amazon DocumentDB console and locate your cluster using the cluster identifier
Click on the cluster identifier link and copy the connection string for your cluster.
Copy the connection string found under the Connectivity and security tab and paste it into the AWS Cloud9 terminal. Omit the –password <insertYourPassword> and hit return. Copy the password from AWS Secrets Manager (step 4 above) and paste into the password prompt.
If you are having trouble connecting, you may refer Troubleshooting Amazon DocumentDB for help.
Congratulations! You have successfully configured AWS Secrets Manager to automatically rotate your Amazon DocumentDB cluster’s password. Then you tested access to your Amazon DocumentDB cluster using the newly generated password with a Python application, and optionally using the Mongo shell.