Back to blog

Security

Auto Rotating RDS Credentials with AWS Secrets & System Manager

Automatically update RDS credentials and application config on EC2 instances.

January 1, 2020 Platform Engineering 3 min read
Glossy secrets rotation cover showing secured credential cards, rotation arrows, and a managed AWS workflow
Glossy secrets rotation cover showing secured credential cards, rotation arrows, and a managed AWS workflow

Automatically rotating credentials is an important part of running secure infrastructure. AWS Secrets Manager makes this easier by allowing you to rotate credentials on a schedule in a controlled way. In this article, we will look at using AWS Secrets Manager to rotate RDS credentials and update WordPress configuration on EC2 instances automatically.

Infrastructure Overview

We will use a common WordPress setup on AWS to walk through the flow:

  • Amazon EC2 instances running WordPress in an Auto Scaling Group
  • Application Load Balancer (ALB) distributing traffic
  • Amazon RDS hosting the MySQL database
  • AWS Secrets Manager storing and rotating the database credentials
  • AWS Systems Manager (SSM) updating configuration on instances
  • AWS Lambda handling the rotation workflow

Solution Overview

The goal is to rotate the RDS password on a schedule and update the WordPress configuration on every running EC2 instance. When new instances are launched later, they should also retrieve the current password and write it into wp-config.php during bootstrapping.

To achieve that, we use:

  • AWS Secrets Manager to store the credential set and drive rotation
  • AWS Lambda to perform the rotation steps
  • AWS Systems Manager Run Command to update wp-config.php on the instances

Setting Up AWS Secrets Manager

Create a secret in AWS Secrets Manager to store the RDS credentials. If you use the AWS console, you can enable automatic rotation during setup. If you manage the stack through OpenTofu or Terraform, you will normally create the Lambda function and IAM role yourself.

The secret structure can look like this:

{
  "host": "ProdServer-01.databases.example.com",
  "port": "3306",
  "username": "administrator",
  "password": "My-P@ssw0rd!F0r+Th3_Acc0unt",
  "dbname": "MyDatabase",
  "engine": "mysql",
  "app": "foo"
}

The additional app field is useful for targeting the right EC2 instances later.

Configuring the Lambda Function

The Lambda function handles rotation of the RDS credentials. To make the application aware of the new password, the setSecret stage can also trigger an SSM command that updates wp-config.php on all running EC2 instances for the application.

That requires a few prerequisites:

  • the SSM Agent installed on each EC2 instance
  • an instance profile that allows the instances to communicate with SSM
  • a Lambda execution role that allows ssm:SendCommand

In the setSecret stage, you can add logic like this:

import boto3

ssm = boto3.client('ssm')

new_password = pending_dict['password']
app_name = pending_dict.get('app', 'default')

command = """
rm -f /tmp/wp-config.php.bak;
cp /var/www/html/wp-config.php /tmp/wp-config.php.bak;
while IFS= read LINE; do
  echo "$LINE" | grep -iq DB_PASSWORD;
  if [ "$?" = "0" ]; then
    echo 'define("DB_PASSWORD", "%s");';
  else
    echo "$LINE";
  fi;
done < /tmp/wp-config.php.bak > /var/www/html/wp-config.php
""" % new_password

response = ssm.send_command(
  Targets=[
    {
      'Key': 'tag:app',
      'Values': [app_name]
    }
  ],
  DocumentName='AWS-RunShellScript',
  Parameters={
    "commands": [command]
  }
)

This targets instances using an app tag so each environment or application can update independently.

Testing Password Rotation

Once the workflow is in place, manually trigger a rotation in Secrets Manager and validate each step:

  • confirm the secret value has changed
  • check that wp-config.php has been updated on the EC2 instances
  • verify that WordPress can still connect to the database
  • launch a fresh instance and make sure it can fetch the latest password at start-up

Additional Considerations

  • Security: Keep IAM permissions as narrow as possible.
  • Scaling: Ensure new instances retrieve the latest credential during bootstrap.
  • Monitoring: Log and alert on failed rotations or failed SSM commands.

Conclusion

By combining AWS Secrets Manager, Lambda, and Systems Manager, you can automate RDS credential rotation and keep application configuration in sync without manual intervention. This improves security while keeping the application available and easier to operate.

Related articles