I'm running into an error here:

https://github.com/aws-samples/aws-secrets-manager-rotation-lambdas/blob/master/SecretsManagerRDSMySQLRotationMultiUser/lambda_function.py#L165-L168

The conditional doesn't seem to match the error message. Is it supposed to be only validating that the pending username contains the 'clone' suffix?

The message says:

Attempting to modify user %s other than current user or clone %s

But the conditional says:

get_alt_username(current_dict['username']) != pending_dict['username']

I would expect something more like:

if pending_dict['username'] not in [get_alt_username(current_dict['username']), current_dict['username']]

The multi-user rotation lambda alternates between user and user_clone on every rotation. The check ensures that the correct value is set for the current rotation. Specifically if the prior value was user then the pending value should be user_clone and if the prior value was user_clone the pending value should be user.

Check if both the current and pending secrets have the correct user name. If this does not help with the problem, please open a support case with AWS.

Also, if you do not want the user value to change between rotation, you can use single user rotation.