Database Secret Rotation with Wallet Function
Find out how to use the Database Secret Rotation with Wallet pre-built function in OCI Functions to rotate secrets using mTLS connection to the database.
Common Usage Scenarios
Use the Database Secret Rotation with Wallet PBF to automatically rotate secrets of the database by making a JDBC connection with a wallet (mTLS). .
Services related to the Database Secret Rotation with Wallet function include:
Scope
Scope considerations for this function include:
- The pre-built function can be used with any database supporting a JDBC URL.
- Secret Service uses the function created by the pre-built function to rotate the database secrets.
- Database Secret Rotation with Wallet PBF is used with the Autonomous Database. For more information about Autonomous Database, see Autonomous Database.
Prerequisites and Recommendations
The following are best practices when using this pre-built function:
- Set the pre-built function timeout to 300 seconds.
- The VCN linked to the application facilitates access to other OCI services by using a Service Gateway, Internet Gateway, or NAT gateway.
Configuring the Database Secret Rotation with Wallet Function
To configure a Database Secret Rotation with wallet function, perform the following steps:
The deploy dialog displays the tasks to deploy the function (see Finishing Pre-Built Function Deployment).
Configuration Options
Invoking This Function
- Create a function using this PBF and copy the function ID.
-
- Open the navigation menu, click Identity & Security, and then click Vault.
- Under List scope, select a compartment that contains the secrets that you have created in a vault.
-
From the list of secrets, click a secret name that you require to rotate using this PBF, or create a new secret.
- To create a new secret, see Create a secret.
- To update an existing secret, see Update a secret.
- Select Target system type as Function for rotations.
- Add the function ID copied from step 1 as the Target system ID.
- Ensure that the secret follows these requirements:
- Secret must have auto-generation enabled.
- The Secret Content is expected to be a JSON string with the following format:
{ ‘username’: <required: username>, ‘password’: <required: password>, ‘adbId’: <required: adbId>, ‘tnsName’: <required: tnsName (adbName + ‘_high/_low/_medium’)> }
- Username and password must establish a connection with the database using the format:
jdbc:oracle:thin:@<tnsName>?TNS_ADMIN=<walletDirectory>
- Secret is expected to have
tnsName
(which is adbName + ‘_high/_low/_medium’) andadbId
as a part of the secret content. - Ensure to use mTLS connection. See JDBC Thin Connections with a Wallet (mTLS)
Troubleshooting
A pre-built function execution returns a 502 error code if the pre-built function’s code encounters any problem. To identify the cause, enable logging features for the pre-built function (see Invoking a function returns a Function failed message and a 502 error).
Log Analysis Tips
-
Since an application has multiple functions, the pre-built function log entries are identified by the prefix "PBF | <PBF NAME> ".
For example, a log entry for the Database Secret Rotation with Wallet pre-built function looks similar to the following:
"PBF | Database Secret Rotation with Wallet | INFO | 2024-01-31T18:06:50.809Z | Fetching details from Events JSON"
- All the pre-built functions provide an option to specify the logging level as a configuration parameter. You can set the logging level to
DEBUG
to get more information.
The following table summarizes common errors that you might encounter when working with pre-built functions:
Error Code | Error Message | Action |
---|---|---|
404 | NotAuthorizedOrNotFound | Verify that the required policies are configured. |
The following table summarizes the response status codes that you might encounter when working with this pre-built function:
Step | Status Code | Response Message | Description |
---|---|---|---|
VERIFY_CONNECTION | 200 | Connection using the pending secret version was successful! | A pending version of the secret exists, and the database connection was successfully established using that version. |
Connection using the current secret version was successful! | The database connection was successful with the current secret version. | ||
400 | Connection using the current secret version was unsuccessful. | Invalid credentials in the current secret version or any pending version, if exists. | |
404 | Current version of the secret not found | No current version of the secret exists with the given secretId. | |
500 | <EXCEPTION MESSAGE> | Thrown when any exception occurs while verifying connection. | |
CREATE_PENDING_VERSION | 200 | Pending version already exists! | A pending version of the secret already exists. Doesn't create a new pending version. |
Pending version created successfully! | A pending version doesn't exist, a new pending version of the secret is created. | ||
<EXCEPTION CODE> | Pending version creation failed. | Exception from DP client while trying to create a new pending version of the secret. | |
500 | <EXCEPTION MESSAGE> | Thrown when any exception occurs while creating a new version. | |
UPDATE_TARGET_SYSTEM | 200 | Target system already updated. | The database can be connected using the pending secret version, indicating that this version was previously used to update the database credentials. |
Target system updated successfully! | Database credentials were updated with the pending version of the secret. | ||
404 | No pending version exists. | No pending version of the secret exists which can be used to update the target system. | |
500 | Target system update failed. | Attempted to update the target system with the new pending version credentials, but the database connection verification using those credentials failed. | |
<EXCEPTION MESSAGE> | Thrown when any exception occurs while updating the target system. | ||
PROMOTE_PENDING_VERSION | 200 | Pending version promoted! | Pending version successfully got promoted to current. |
500 | <EXCEPTION MESSAGE> | Thrown when any exception occurs while promoting the pending version. |