SnapshotCredentials

class aws_cdk.aws_rds.SnapshotCredentials

Bases: object

Credentials to update the password for a DatabaseInstanceFromSnapshot.

ExampleMetadata

infused

Example:

# vpc: ec2.Vpc

engine = rds.DatabaseInstanceEngine.postgres(version=rds.PostgresEngineVersion.VER_12_3)
my_key = kms.Key(self, "MyKey")

rds.DatabaseInstanceFromSnapshot(self, "InstanceFromSnapshotWithCustomizedSecret",
    engine=engine,
    vpc=vpc,
    snapshot_identifier="mySnapshot",
    credentials=rds.SnapshotCredentials.from_generated_secret("username",
        encryption_key=my_key,
        exclude_characters="!&*^#@()",
        replica_regions=[secretsmanager.ReplicaRegion(region="eu-west-1"), secretsmanager.ReplicaRegion(region="eu-west-2")]
    )
)

Attributes

encryption_key

KMS encryption key to encrypt the generated secret.

Default
  • default master key

Return type

Optional[IKey]

exclude_characters

The characters to exclude from the generated password.

Only used if {@link generatePassword} if true.

Default
  • the DatabaseSecret default exclude character set (” %+~`#$&*()|[]{}:;<>?!’/

:: “")

Return type

Optional[str]

generate_password

Whether a new password should be generated.

Return type

bool

password

The master user password.

Do not put passwords in your CDK code directly.

Default
  • the existing password from the snapshot

Return type

Optional[SecretValue]

replace_on_password_criteria_changes

Whether to replace the generated secret when the criteria for the password change.

Default

false

Return type

Optional[bool]

replica_regions

A list of regions where to replicate the generated secret.

Default
  • Secret is not replicated

Return type

Optional[List[ReplicaRegion]]

secret

Secret used to instantiate this Login.

Default
  • none

Return type

Optional[ISecret]

username

The master user name.

Must be the current master user name of the snapshot. It is not possible to change the master user name of a RDS instance.

Default
  • the existing username from the snapshot

Return type

Optional[str]

Static Methods

classmethod from_generated_password(username, *, encryption_key=None, exclude_characters=None, replica_regions=None)

Generate a new password for the snapshot, using the existing username and an optional encryption key.

Note - The username must match the existing master username of the snapshot.

NOTE: use fromGeneratedSecret() for new Clusters and Instances. Switching from fromGeneratedPassword() to fromGeneratedSecret() for already deployed Clusters or Instances will update their master password.

Parameters
  • username (str) –

  • encryption_key (Optional[IKey]) – KMS encryption key to encrypt the generated secret. Default: - default master key

  • exclude_characters (Optional[str]) – The characters to exclude from the generated password. Default: - the DatabaseSecret default exclude character set (” %+~`#$&*()|[]{}:;<>?!’/

  • replica_regions (Optional[Sequence[Union[ReplicaRegion, Dict[str, Any]]]]) – A list of regions where to replicate this secret. Default: - Secret is not replicated

Return type

SnapshotCredentials

classmethod from_generated_secret(username, *, encryption_key=None, exclude_characters=None, replica_regions=None)

Generate a new password for the snapshot, using the existing username and an optional encryption key.

The new credentials are stored in Secrets Manager.

Note - The username must match the existing master username of the snapshot.

Parameters
  • username (str) –

  • encryption_key (Optional[IKey]) – KMS encryption key to encrypt the generated secret. Default: - default master key

  • exclude_characters (Optional[str]) – The characters to exclude from the generated password. Default: - the DatabaseSecret default exclude character set (” %+~`#$&*()|[]{}:;<>?!’/

  • replica_regions (Optional[Sequence[Union[ReplicaRegion, Dict[str, Any]]]]) – A list of regions where to replicate this secret. Default: - Secret is not replicated

Return type

SnapshotCredentials

classmethod from_password(password)

Update the snapshot login with an existing password.

Parameters

password (SecretValue) –

Return type

SnapshotCredentials

classmethod from_secret(secret)

Update the snapshot login with an existing password from a Secret.

The Secret must be a JSON string with a password field:

{
   ...
   "password": <required: password>,
}
Parameters

secret (ISecret) –

Return type

SnapshotCredentials