AWS secrets manager, 'A previous rotation isn’t complete' when rotating secrets

Question

I\'ve created a secret and updated it to have a lambda rotation function

My secret looks like

aws secretsmanager list-secret-version-ids --secret-id envi         


        

Answer 1

I had a similar problem. For my documentdb I have a cloudformation template which got the following template content:

  MyDocumentDbSecret:
    Type: AWS::SecretsManager::Secret
    Properties:
      Name: "/secrets/documentdb/root"
      Description: 'DocDB root secret'
      GenerateSecretString:
        SecretStringTemplate: !Sub '{"username": "${DefaultDocDbUser}"}'
        GenerateStringKey: "password"
        PasswordLength: 16
        ExcludeCharacters: '"@/\'

But with this cloudformation template I always get a connection timeout in the lambda function (Which try to change my password for the user).

But when I change my cloudformation template to this with ssl = true in the SecretStringTemplate attribute:

  DocDBClusterRotationSecret:
    Type: AWS::SecretsManager::Secret
    Properties:
      Name: "/secrets/documentdb/root"
      Description: 'DocDB root secret'
      GenerateSecretString:
        SecretStringTemplate: !Sub '{"username": "${DefaultDocDbUser}", "ssl": "true"}'
        GenerateStringKey: "password"
        PasswordLength: 16
        ExcludeCharacters: '"@/\'

then it works properly. For my cloudformation type: AWS::SecretsManager::SecretTargetAttachment does not provide my secret with the attributes ssl=true, therefore I need to add it manually in my cloudformation template. Now it works perfectly with no errors.

My secret string looks like this nowadays:

{
 "password": "My PW",
 "engine": "mongo",
 "port": 27017,
 "host": "My Host",
 "ssl": "true",
 "username": "My User"
}