def set_secret(service_client, arn, token, context): """Set the secret This method should set the AWSPENDING secret in the service that the secret belongs to. For example, if the secret is a database credential, this method should take the value of the AWSPENDING secret and set the user's password to this value in the database. Args: service_client (client): The secrets manager service client arn (string): The secret ARN or other identifier token (string): The ClientRequestToken associated with the secret version """ # This is where the secret should be set in the service pending = service_client.get_secret_value(SecretId=arn, VersionId=token, VersionStage="AWSPENDING") pending_version = pending['VersionId'] pending_dict = get_secret_dict(service_client, arn, "AWSPENDING") ssm = SSM(context, TARGETS, USERNAME) print( "setSecret: Invoking Systems Manager to add the new public key with token %s." % pending_version) command_id = ssm.add_public_key(pending_dict[PUBLIC_KEY], pending_version) print("setSecret: Waiting for Systems Manager command %s to complete." % (command_id)) ssm.wait_completion(command_id) print("setSecret: Systems Manager command %s completed successfully." % (command_id))
def finish_secret(service_client, arn, token, context): """Finish the secret This method finalizes the rotation process by marking the secret version passed in as the AWSCURRENT secret. Args: service_client (client): The secrets manager service client arn (string): The secret ARN or other identifier token (string): The ClientRequestToken associated with the secret version Raises: ResourceNotFoundException: If the secret with the specified arn does not exist """ # First describe the secret to get the current version metadata = service_client.describe_secret(SecretId=arn) new_version = token current_version = None for version in metadata["VersionIdsToStages"]: if "AWSCURRENT" in metadata["VersionIdsToStages"][version]: if version == token: # The correct version is already marked as current, return print( "finishSecret: Version %s already marked as AWSCURRENT for %s" % (version, arn)) return current_version = version break # Finalize by staging the secret version current service_client.update_secret_version_stage( SecretId=arn, VersionStage="AWSCURRENT", MoveToVersionId=new_version, RemoveFromVersionId=current_version) print( "finishSecret: Successfully set AWSCURRENT stage to version %s for secret %s." % (new_version, arn)) # after change above: prior_version = current_version new_dict = get_secret_dict(service_client, arn, "AWSCURRENT") ssm = SSM(context, TARGETS, USERNAME) print( "finishSecret: Invoking Systems Manager to delete the old public key with token %s." % (prior_version)) command_id = ssm.del_public_key(prior_version) print("finishSecret: Waiting for Systems Manager command %s to complete." % (command_id)) ssm.wait_completion(command_id) print("finishSecret: Systems Manager command %s completed successfully." % (command_id))