The Platform Client Secret Rotator is an AWS Secrets Manager Lambda Function Rotator intended to be used with AWS Secrets Manager and Auth0. Secrets Manager can use rotators implemented as Lambda Functions to securely and automatically rotate secret configuration values. This rotator is configured out of the box for use with the Cimpress Mass Customization Platform.
For good security hygiene, secret values should be rotated regularly. But it's a pain. And once the secret value is rotated wherever it's stored, how can that be injected into the application which requires the value? This is the value propsition of AWS Secrets Manager, and that value is augmented by the ability to write custom rotators. With this rotator configured to rotate a secret, the client secret will never be stale and it will never be out of date. You should configure your application to retrieve the secret just-in-time at runtime. Provide the ARN of the secret via some configuration means (though setting an environment variable in CloudFormation is probably best), and no further configuration is required, either before or after rotation.
Please find step-by-step installation and setup instructions on the wiki! They're available for both SAM (CloudFormation) and CDK.
There is an unavoidable bootstrapping step when deploying the Platform Client Secret Rotator into a service for the first time. The deployment process has no way of knowing what a client's current secret is (nor should it!), so the first rotation which occurs after deployment will necessarily fail. To take ownership of the rotation of a client secret, transfer the client secret value into AWS Secrets Manager (into the deployed secret, specifically -- see ExampleSecret above) and instruct AWS Secrets Manager to rotate the secret immediately. It's hands-off operation from then on out.
- AWS's Rotation Lambda Functions for RDS credentials
- The CloudFormation Custom Resource Helper library
