Oracle Cloud Infrastructure Documentation
Try Free Tier

Database Secret Rotation without Wallet Function

Find out how to use the Database Secret Rotation without Wallet pre-built function in OCI Functions to rotate secrets using TLS connection to the database.

Common Usage Scenarios

Use the Database Secret Rotation without Wallet PBF to automatically rotate secrets of the database by making a JDBC TLS connection without a wallet.

Services related to the Database Secret Rotation without Wallet function include:

Scope

Scope considerations for this function include:

  • The pre-built function can be used with any database supporting a JDBC URL.
  • Secret Service uses the function created by the pre-built function to rotate the database secrets.

Prerequisites and Recommendations

The following are best practices when using this pre-built function:

  • Set the pre-built function timeout to 300 seconds.
  • The VCN linked to the application facilitates access to other OCI services by using a Service Gateway, Internet Gateway, or NAT gateway.

Configuring the Database Secret Rotation without Wallet Function

To configure a Database Secret Rotation without wallet function, perform the following steps:

  1. On the Pre-Built Functions page, select Database Secret Rotation without Wallet, and then select Create function.
  2. Configure the Name, Compartment, and Application as follows:
    • Name: A name of your choice for the new function. The name must start with a letter or underscore, followed by letters, numbers, hyphens, or underscores. Length can be 1–255 characters. Avoid entering confidential information.

      To create the function in a different compartment, select Change Compartment.

    • Application: Select the application in which you want to create the function.

      If a suitable application doesn't already exist in the current compartment, select Create new application and specify the following details:

      • Name: A name for the new application. Avoid entering confidential information.
      • VCN: The VCN (virtual cloud network) in which to run functions in the application. Optionally, select Change Compartment to select a VCN from a different compartment.
      • Subnets: The subnet (or subnets, up to a maximum of three) in which to run functions. Optionally, select Change Compartment to select a subnet from a different compartment.
      • Shape: The processor architecture of the compute instances on which to deploy and run functions in the application. All the functions in the application are deployed and run on compute instances with the same architecture. The function's image must contain the necessary dependencies for the architecture you select.
      • Tagging options: If you have permissions to create a resource, then you also have permissions to apply free-form tags to that resource. To apply a defined tag, you must have permissions to use the tag namespace. For more information about tagging, see Resource Tags. If you're not sure whether to apply tags, skip this option or ask an administrator. You can apply tags later.
  3. Configure the IAM policy for pre-built functions.

    By default, OCI Functions creates a dynamic group and an IAM policy with the policy statements required to run the pre-built function. Make no changes to accept the default behavior.

    If you don't want OCI Functions to automatically create the dynamic group and policy, select Do not create a dynamic group and IAM policy.

    Important

    If you select the Do not create a dynamic group and IAM policy option, you must define the dynamic group and the IAM policy yourself.
  4. Configure function memory and timeout values as follows:
    • Memory: The maximum amount of memory that the function can use while running, in megabytes. This is the memory available to the function image. (Default: 512 MB)
    • Timeout: The maximum amount of time that the function can run for, in seconds. If the function doesn’t complete in the specified time, the system cancels the function. (Default: 300)
  5. (Optional) Configure Provisioned concurrency to minimize any initial delays when invoking the function by specifying a minimum number of concurrent function invocations for which you want to have execution infrastructure constantly available. (Default: Not selected)

    If selected, specify the number of provisioned concurrency units assigned to this function. Default: 20.

    For more information about provisioned concurrency, see Reducing Initial Latency Using Provisioned Concurrency.

  6. Optionally enter any tags in the Tagging options section. If you have permissions to create a resource, then you also have permissions to apply free-form tags to that resource. To apply a defined tag, you must have permissions to use the tag namespace. For more information about tagging, see Resource Tags. If you're not sure whether to apply tags, skip this option or ask an administrator. You can apply tags later.
  7. Select Create.

The deploy dialog displays the tasks to deploy the function (see Finishing Pre-Built Function Deployment).

Configuration Options

Invoking This Function

The function created using this PBF would be invoked by the secret service to rotate the secret.
  1. Create a function using this PBF and copy the function ID.
    1. Open the navigation menu, select Identity & Security, and then select Vault.
    2. Under List scope, select a compartment that contains the secrets that you have created in a vault.
    3. From the list of secrets, select a secret name that you require to rotate using this PBF, or create a new secret.
  3. Select Target system type as Function for rotations.
  4. Add the function ID copied from step 1 as the Target system ID.
  5. Ensure that the secret follows these requirements:
    • Secret must have auto-generation enabled.
    • The Secret Content is expected to be a JSON string with the following format:
      {
    ‘username’: <required: username>,
    ‘password’: <required: password>
    ‘connectionString’: <required: DB connection string>
  }
    • Username and password must establish a connection with the database using the format: jdbc:oracle:thin:@<connectionString>?user=<username>&password=<example-password>
    • Ensure to use TLS connection.
      Note

      This function isn't compatible with MTLS connection.

Troubleshooting

A pre-built function execution returns a 502 error code if the pre-built function’s code encounters any problem. To identify the cause, enable logging features for the pre-built function (see Invoking a function returns a Function failed message and a 502 error).

Tip

For detailed information on troubleshooting a function, see Troubleshooting OCI Functions.

Log Analysis Tips

  • Since an application has multiple functions, the pre-built function log entries are identified by the prefix "PBF | <PBF NAME> ".

    For example, a log entry for the Database Secret Rotation without Wallet pre-built function looks similar to the following:

    "PBF | Database Secret Rotation without Wallet | INFO | 2024-01-31T18:06:50.809Z | Fetching details from Events JSON"
  • All the pre-built functions provide an option to specify the logging level as a configuration parameter. You can set the logging level to DEBUG to get more information.

The following table summarizes common errors that you might encounter when working with pre-built functions:

Error Code Error Message Action
404 NotAuthorizedOrNotFound Verify that the required policies are configured.

The following table summarizes the response status codes that you might encounter when working with this pre-built function:

Step Status Code Response Message Description
VERIFY_CONNECTION 200 Connection using the pending secret version was successful! A pending version of the secret exists, and the database connection was successfully established using that version.
Connection using the current secret version was successful! The database connection was successful with the current secret version.
400 Connection using the current secret version was unsuccessful. Invalid credentials in the current secret version or any pending version, if exists.
404 Current version of the secret not found No current version of the secret exists with the given secretId.
500 <EXCEPTION MESSAGE> Thrown when any exception occurs while verifying connection.
CREATE_PENDING_VERSION 200 Pending version already exists! A pending version of the secret already exists. Doesn't create a new pending version.
Pending version created successfully! A pending version doesn't exist, a new pending version of the secret is created.
<EXCEPTION CODE> Pending version creation failed. Exception from DP client while trying to create a new pending version of the secret.
500 <EXCEPTION MESSAGE> Thrown when any exception occurs while creating a new version.
UPDATE_TARGET_SYSTEM 200 Target system already updated. The database can be connected using the pending secret version, indicating that this version was previously used to update the database credentials.
Target system updated successfully! Database credentials were updated with the pending version of the secret.
404 No pending version exists. No pending version of the secret exists which can be used to update the target system.
500 Target system update failed. Attempted to update the target system with the new pending version credentials, but the database connection verification using those credentials failed.
<EXCEPTION MESSAGE> Thrown when any exception occurs while updating the target system.
PROMOTE_PENDING_VERSION 200 Pending version promoted! Pending version successfully got promoted to current.
500 <EXCEPTION MESSAGE> Thrown when any exception occurs while promoting the pending version.

Was this article helpful?