We are using the alternating users rotation strategy to make sure our RDS passwords are rotated regularly.
Our warm (and provisioned) lambdas hang on to the current userid/password for a short period (approx. 1 hour) to reduce the number of times we need to hit Secrets Manager for a credential that only changes every X months.
The cached credential is still a perfectly valid RDS userid/password even after the new one is made "active" (explicitly by design as part of this rotation strategy), but the problem is that RDS Proxy barfs if a lambda tries to establish a connection using it because the newly updated Secret no longer contains that userid/password as the current credential. Connecting directly to the database (instead of via the proxy) works just fine.
The only way I can see around this is to change my lambdas to read the secret value /every/ time - which is a) super slow, b) has a financial impact, and c) wasteful for a password rotation that only happens every X months.
Anyone managed to find a way to beat RDS Proxy into submission in this scenario?
Do your normal cache as usual but wrap it in a boolean like
shouldRetrieveCredentialsFromSecretsManager
, thentry..catch
the connection handler, and if you receive a password error, flip the boolean, re-request the secret from Secrets Manager, and update the cache.This way you're not requesting it every time, you simply evict the cache once you get an authentication error and rebuild it.