def set_secret(service_client, arn, token, context):
"""Set the secret
This method should set the AWSPENDING secret in the service that the secret belongs to. For example, if the secret is a database
credential, this method should take the value of the AWSPENDING secret and set the user's password to this value in the database.
Args:
service_client (client): The secrets manager service client
arn (string): The secret ARN or other identifier
token (string): The ClientRequestToken associated with the secret version
"""
# This is where the secret should be set in the service
pending = service_client.get_secret_value(SecretId=arn,
VersionId=token,
VersionStage="AWSPENDING")
pending_version = pending['VersionId']
pending_dict = get_secret_dict(service_client, arn, "AWSPENDING")
ssm = SSM(context, TARGETS, USERNAME)
print(
"setSecret: Invoking Systems Manager to add the new public key with token %s."
% pending_version)
command_id = ssm.add_public_key(pending_dict[PUBLIC_KEY], pending_version)
print("setSecret: Waiting for Systems Manager command %s to complete." %
(command_id))
ssm.wait_completion(command_id)
print("setSecret: Systems Manager command %s completed successfully." %
(command_id))
def finish_secret(service_client, arn, token, context):
"""Finish the secret
This method finalizes the rotation process by marking the secret version passed in as the AWSCURRENT secret.
Args:
service_client (client): The secrets manager service client
arn (string): The secret ARN or other identifier
token (string): The ClientRequestToken associated with the secret version
Raises:
ResourceNotFoundException: If the secret with the specified arn does not exist
"""
# First describe the secret to get the current version
metadata = service_client.describe_secret(SecretId=arn)
new_version = token
current_version = None
for version in metadata["VersionIdsToStages"]:
if "AWSCURRENT" in metadata["VersionIdsToStages"][version]:
if version == token:
# The correct version is already marked as current, return
print(
"finishSecret: Version %s already marked as AWSCURRENT for %s"
% (version, arn))
return
current_version = version
break
# Finalize by staging the secret version current
service_client.update_secret_version_stage(
SecretId=arn,
VersionStage="AWSCURRENT",
MoveToVersionId=new_version,
RemoveFromVersionId=current_version)
print(
"finishSecret: Successfully set AWSCURRENT stage to version %s for secret %s."
% (new_version, arn))
# after change above:
prior_version = current_version
new_dict = get_secret_dict(service_client, arn, "AWSCURRENT")
ssm = SSM(context, TARGETS, USERNAME)
print(
"finishSecret: Invoking Systems Manager to delete the old public key with token %s."
% (prior_version))
command_id = ssm.del_public_key(prior_version)
print("finishSecret: Waiting for Systems Manager command %s to complete." %
(command_id))
ssm.wait_completion(command_id)
print("finishSecret: Systems Manager command %s completed successfully." %
(command_id))