amazon web services - How to use new secret created by key rotation from AWS Secrets Manager

Question

I have a Java application using MongoDB (or it could be any service like that). On start up, the app creates a singleton connection to database. To connect, I get the MongoDB from AWS Secrets Manager... and thus the application runs merrily ever after communicating with MongoDB.

My question is: What happens when AWS Secrets Manager rotates keys?

• How does my app come to 'know' that secret has been rotated.
• Do I have to synchronize the timing between Secrets Manager and my app?

e.g. rotation is set to 7 days. So I code in my app to refresh every 7 days... not good, as very hard to time precisely.

Another way could be, if my app faces authentication exception, just refresh password and make a new connection and retry app logic.

What is the industry standard?

Answer 1

How does my app come to 'know' that secret has been rotated?

-AWS Secrets Manager publishes the CloudTrail event - 'RotationSucceeded' when rotation succeeds and the cloudtrail event 'RotationFailed' when rotation fails. You can setup a cloudwatch rule on this cloudtrail event - https://docs.aws.amazon.com/AmazonCloudWatch/latest/events/Create-CloudWatch-Events-CloudTrail-Rule.html

and have a SNS or a Lambda setup as the target for the rule and execute any logic you want after rotation succeeds