Introduction

Secrets Manager rotation is a multi-step workflow, not a single secret update. The rotation Lambda must create or stage a new secret value, apply it to the target system, verify it, and finalize the version labels. If the function times out in the middle, the secret can be left in an awkward partially rotated state and future rotation attempts may fail until the sequence is cleaned up.

Symptoms

  • Rotation fails with a Lambda timeout error
  • The secret shows a failed or stuck rotation state
  • CloudWatch logs stop during setSecret, testSecret, or finishSecret
  • Retrying rotation immediately causes conflict-style errors or partial progress

Common Causes

  • The Lambda timeout is too low for the target system
  • The function cannot reach the database or service because of VPC or security group issues
  • Database credential changes or validation steps take longer than expected
  • The function package is slow or underprovisioned, so initialization eats too much of the timeout budget

Step-by-Step Fix

  1. 1.Check the function timeout and memory configuration
  2. 2.A 30-second function is often too short for real rotation logic, especially with network calls and database updates.
bash
aws lambda get-function-configuration \
  --function-name SecretsManagerRotation
  1. 1.Increase timeout and memory before retesting
  2. 2.Give the rotation Lambda enough headroom to finish the full step sequence cleanly.
bash
aws lambda update-function-configuration \
  --function-name SecretsManagerRotation \
  --timeout 120 \
  --memory-size 256
  1. 1.Verify VPC reachability to the target system
  2. 2.If the Lambda cannot reach the database, extra timeout will only delay the failure.
  3. 3.Inspect logs to find the exact rotation step that hangs
  4. 4.The failing step usually tells you whether the bottleneck is authentication, networking, or secret state handling.
bash
aws logs tail /aws/lambda/SecretsManagerRotation --follow

Prevention

  • Size rotation Lambda timeout for the real end-to-end secret update path
  • Keep rotation functions close to the systems they must reach
  • Monitor rotation duration and failures as first-class secret hygiene signals
  • Test rotation workflows manually before relying on scheduled automatic rotation