Set Up Rotation in the Console Set Up Rotation Using the CLI

Rotate Secrets Manager managed external secrets

Secrets Manager has partnered with select software vendors to offer managed external secrets. This feature helps customers manage the secret lifecycle by handling rotations automatically. With managed external secrets, customers no longer need to maintain specific rotation logic for each secret stored with different partners. This will be handled by Secrets Manager.

To view the list of partners onboarded with Secrets Manager, see Managed external secrets Partners.

Set Up Rotation in the Console

To configure rotation for an existing managed external secret, created by specifying the secret type and value as specified by the respective integration partners, use the following steps:

Open the Secrets Manager console.
Select your managed external secret from the list.
Choose the Configuration tab.
In the Rotation configuration section, choose Edit rotation.
Turn on Automatic rotation.
Under Rotation metadata, add any partner-specific metadata required for rotation:

Follow the guidelines provided by your integration partner for other required metadata
In Service permissions for secret rotation, select or create an IAM role for rotation:
- Choose Create a new role to automatically create a role with necessary permissions
- Or select an existing role with appropriate permissions for your partner
By default, permissions are scoped to the individual partner in the region where the secret is created
Set your Rotation schedule (for example, rotate automatically every 30 days).
Choose Save to apply the rotation configuration.

The two key metadata fields configured during this process are:

Field	Description
ExternalSecretRotationMetadata	Partner-specific metadata required for rotation, such as API version for Salesforce
ExternalSecretRotationRoleArn	The ARN of the IAM role used for rotation, with permissions scoped to the integration partner

For more information on these fields, see Using Secrets Manager managed external secrets to manage Third Party secrets.

Set Up Rotation Using the CLI

Run the following command to set up rotation for a Salesforce secret. This command specifies the secret ID, the IAM role ARN for rotation, the rotation schedule, and any partner-specific metadata required for the rotation process.


aws secretsmanager rotate-secret \
            --secret-id SampleSecret \
            --external-secret-rotation-role-arn arn:aws:iam::123412341234:role/xyz \
            --rotation-rules AutomaticallyAfterDays=1 \
            --external-secret-rotation-metadata '[{"Key":"apiVersion","Value":"v65.0"}]'

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Managed rotation

Rotation by Lambda function