def test_secret(service_client, arn, token, context):
"""Test the secret
This method should validate that the AWSPENDING secret works in the service that the secret belongs to. For example, if the secret
is a database credential, this method should validate that the user can login with the password in AWSPENDING and that the user has
all of the expected permissions against the database.
Args:
service_client (client): The secrets manager service client
arn (string): The secret ARN or other identifier
token (string): The ClientRequestToken associated with the secret version
"""
command = 'hostname'
pending_dict = get_secret_dict(service_client, arn, "AWSPENDING")
print("testSecret: getting instance IDs for version %s" % (token))
ssm = SSM(context, TARGETS)
for username in USERNAMES:
ssm.set_username(username)
ip_addresses = ssm.get_addrs_for_add_key(token)
print("testSecret: Performing SSH test by invoking command '%s'." % (command))
ssh.run_command(ip_addresses, username, pending_dict[PRIVATE_KEY], command)
def finish_secret(service_client, arn, token, context):
"""Finish the secret
This method finalizes the rotation process by marking the secret version passed in as the AWSCURRENT secret.
Args:
service_client (client): The secrets manager service client
arn (string): The secret ARN or other identifier
token (string): The ClientRequestToken associated with the secret version
Raises:
ResourceNotFoundException: If the secret with the specified arn does not exist
"""
# First describe the secret to get the current version
metadata = service_client.describe_secret(SecretId=arn)
new_version = token
current_version = None
for version in metadata["VersionIdsToStages"]:
if "AWSCURRENT" in metadata["VersionIdsToStages"][version]:
if version == token:
# The correct version is already marked as current, return
print("finishSecret: Version %s already marked as AWSCURRENT for %s" % (version, arn))
return
current_version = version
break
# Finalize by staging the secret version current
service_client.update_secret_version_stage(SecretId=arn, VersionStage="AWSCURRENT", MoveToVersionId=new_version, RemoveFromVersionId=current_version)
print("finishSecret: Successfully set AWSCURRENT stage to version %s for secret %s." % (new_version, arn))
# after change above:
prior_version = current_version
new_dict = get_secret_dict(service_client, arn, "AWSCURRENT")
ssm = SSM(context, TARGETS)
for username in USERNAMES:
ssm.set_username(username)
print("finishSecret: Invoking Systems Manager to delete the old public key with token %s." % (prior_version))
command_id = ssm.del_public_key(prior_version)
print("finishSecret: Waiting for Systems Manager command %s to complete." % (command_id))
ssm.wait_completion(command_id)
print("finishSecret: Systems Manager command %s completed successfully." % (command_id))
def set_secret(service_client, arn, token, context):
"""Set the secret
This method should set the AWSPENDING secret in the service that the secret belongs to. For example, if the secret is a database
credential, this method should take the value of the AWSPENDING secret and set the user's password to this value in the database.
Args:
service_client (client): The secrets manager service client
arn (string): The secret ARN or other identifier
token (string): The ClientRequestToken associated with the secret version
"""
# This is where the secret should be set in the service
pending = service_client.get_secret_value(SecretId=arn, VersionId=token, VersionStage="AWSPENDING")
pending_version = pending['VersionId']
pending_dict = get_secret_dict(service_client, arn, "AWSPENDING")
# upload the public key in s3
s3_bucket = os.environ['S3_BUCKET']
s3_file = os.environ['S3_FILE']
s3 = S3KeyUpdater()
s3.update_key(pending_dict[PUBLIC_KEY], s3_bucket, s3_file)
ssm = SSM(context, TARGETS)
for username in USERNAMES:
ssm.set_username(username)
print("setSecret: For username %s." % username)
print("setSecret: Invoking Systems Manager to add the new public key with token %s." % pending_version)
command_id = ssm.add_public_key(pending_dict[PUBLIC_KEY], pending_version)
print("setSecret: Waiting for Systems Manager command %s to complete." % (command_id))
ssm.wait_completion(command_id)
print("setSecret: Systems Manager command %s completed successfully." % (command_id))