Rotating the password in AWS Secrets Manager

You can configure AWS Secrets Manager to automatically rotate the secret (password) for your Amazon DocumentDB cluster. When automatic rotation is selected, AWS Secrets Manager creates a Lambda function which is scheduled to perform the rotation.

Update the Amazon DocumentDB security group to permit inbound access from Lambda.

The security group attached to the database needs to permit inbound access from the Lambda function that AWS Secrets Manager creates. By default, the Lambda function is assigned the same security group used by your Amazon DocumentDB cluster. You will need to edit your Amazon DocumentDB cluster’s security group to permit inbound connections from itself (from Lambda to the Amazon DocumentDB cluster via the same security group).

(1) Go to the EC2 console and select Security Groups from the left panel.

(2) Select the Security Group name that contains docDbInbound. Then select Edit inbound rules

(3) Select Add rule, Custom TPC, port 27017, and then select the security group that contains docDbInbound from the drop-down list.

Your Inbound rules screen should look like the screenshot below with two rules, one allowing AWS Cloud9 access that was created earlier, and the new one permitting inbound access from Amazon DocumentDB to itself which will be used by a AWS Secrets Manager Lambda auto rotation function. Select Save Rules. AWS SM 50

Rotating your Amazon DocumentDB secret in AWS Secrets Manager

(1) Return to the AWS Secrets Manager console, select the secret you stored previously. AWS SM 51

(2) Select Retrieve secret value and note the password (it should not have changed since you created the secret). AWS SM 52

(3) Scroll down and select Edit Rotation. Then Select Enable automatic rotation, enter a new Lambda function name like Rotate-DocumentDB-PW and then select Save. It will take a few minutes for Cloud Formation to create resources and the Lambda function. When done an initial first password rotation will take place. Scroll to top of console to see the create status. AWS SM 53 Wait a few minutes for the message, “Secret successfully scheduled for rotation” to appear at the top of the page: AWS SM 1

(4) Close the Secret value if it is open, and then select Retrieve Secret value. Note the password which was changed when automatic secret rotation was enabled.

(5) Return to the AWS Cloud9 console and run the sample Python code again. It will connect to your Amazon DocumentDB cluster using the newly rotated password stored in AWS Secrets Manager–no application update required.


AWS SM 54 Congratulations! You were able access your Amazon DocumentDB cluster after its password was changed without making any changes to your Python application.

(6) Optional: You can further test connecting to your cluster using the Mongo shell using the new password.

To get the connection string for your cluster, navigate to the Amazon DocumentDB console and locate your cluster using the cluster identifier getting-started-with-documentdb.


Click on the cluster identifier link and copy the connection string for your cluster.


Copy the connection string found under the Connectivity and security tab and paste it into the AWS Cloud9 terminal. Omit the –password <insertYourPassword> and hit return. Copy the password from AWS Secrets Manager (step 4 above) and paste into the password prompt. AWS SM 55

If you are having trouble connecting, you may refer Troubleshooting Amazon DocumentDB for help.

Congratulations! You have successfully configured AWS Secrets Manager to automatically rotate your Amazon DocumentDB cluster’s password. Then you tested access to your Amazon DocumentDB cluster using the newly generated password with a Python application, and optionally using the Mongo shell.