Based heavily on the Python version distributed by AWS, this lambda provides a wireframe for automated secret rotation for custom secrets in AWS Secrets Manager. I wanted to have a version in Go, as many other microservices I work on are also in Go, and although the official (Python) version works fine, I felt it more appropriate to consolidate my language choices.

This lambda handles the transition of labels on Secret Manager stored secrets. You will need to write your own code for the setSecret and testSecret stages.

The setSecret stage should set the AWSPENDING secret in the service that the secret belongs to. For example, if you are wanting to rotate a password for a user in a database, this stage would connect to the database and update the password.

The testSecret stage should validate that the AWSPENDING secret works in the service that the secret belongs to. Following the previous example, this stage should attempt to use the new password in order to validate the update worked as expected.

GOOS=linux go build main.go
zip main.zip ./main

AWS provides a utility (build-lambda-zip.exe) to make it easier to create lambda Go packages. More information can be found on the official AWS Lambda Deployment Package in Go guide, along with the download link for build-lambda-zip.exe.

$env:GOOS = "linux"
go build -o main main.go
~\Go\Bin\build-lambda-zip.exe -o main.zip main