SnapshotCredentials

class aws_cdk.aws_rds.SnapshotCredentials

Bases: object

Credentials to update the password for a DatabaseInstanceFromSnapshot.

ExampleMetadata:

infused

Example:

# vpc: ec2.Vpc

engine = rds.DatabaseInstanceEngine.postgres(version=rds.PostgresEngineVersion.VER_16_3)
my_key = kms.Key(self, "MyKey")

rds.DatabaseInstanceFromSnapshot(self, "InstanceFromSnapshotWithCustomizedSecret",
    engine=engine,
    vpc=vpc,
    snapshot_identifier="mySnapshot",
    credentials=rds.SnapshotCredentials.from_generated_secret("username",
        encryption_key=my_key,
        exclude_characters="!&*^#@()",
        replica_regions=[secretsmanager.ReplicaRegion(region="eu-west-1"), secretsmanager.ReplicaRegion(region="eu-west-2")]
    )
)

Attributes

encryption_key

KMS encryption key to encrypt the generated secret.

Default:
  • default master key

exclude_characters

The characters to exclude from the generated password.

Only used if generatePassword if true.

Default:
  • the DatabaseSecret default exclude character set (” %+~`#$&*()|[]{}:;<>?!’/@”")

generate_password

Whether a new password should be generated.

password

The master user password.

Do not put passwords in your CDK code directly.

Default:
  • the existing password from the snapshot

replace_on_password_criteria_changes

Whether to replace the generated secret when the criteria for the password change.

Default:

false

replica_regions

A list of regions where to replicate the generated secret.

Default:
  • Secret is not replicated

secret

Secret used to instantiate this Login.

Default:
  • none

username

The master user name.

Must be the current master user name of the snapshot. It is not possible to change the master user name of a RDS instance.

Default:
  • the existing username from the snapshot

Static Methods

classmethod from_generated_password(username, *, encryption_key=None, exclude_characters=None, replica_regions=None)

Generate a new password for the snapshot, using the existing username and an optional encryption key.

Note - The username must match the existing master username of the snapshot.

NOTE: use fromGeneratedSecret() for new Clusters and Instances. Switching from fromGeneratedPassword() to fromGeneratedSecret() for already deployed Clusters or Instances will update their master password.

Parameters:
  • username (str) –

  • encryption_key (Optional[IKey]) – KMS encryption key to encrypt the generated secret. Default: - default master key

  • exclude_characters (Optional[str]) – The characters to exclude from the generated password. Default: - the DatabaseSecret default exclude character set (” %+~`#$&*()|[]{}:;<>?!’/@”")

  • replica_regions (Optional[Sequence[Union[ReplicaRegion, Dict[str, Any]]]]) – A list of regions where to replicate this secret. Default: - Secret is not replicated

Return type:

SnapshotCredentials

classmethod from_generated_secret(username, *, encryption_key=None, exclude_characters=None, replica_regions=None)

Generate a new password for the snapshot, using the existing username and an optional encryption key.

The new credentials are stored in Secrets Manager.

Note - The username must match the existing master username of the snapshot.

Parameters:
  • username (str) –

  • encryption_key (Optional[IKey]) – KMS encryption key to encrypt the generated secret. Default: - default master key

  • exclude_characters (Optional[str]) – The characters to exclude from the generated password. Default: - the DatabaseSecret default exclude character set (” %+~`#$&*()|[]{}:;<>?!’/@”")

  • replica_regions (Optional[Sequence[Union[ReplicaRegion, Dict[str, Any]]]]) – A list of regions where to replicate this secret. Default: - Secret is not replicated

Return type:

SnapshotCredentials

classmethod from_password(password)

Update the snapshot login with an existing password.

Parameters:

password (SecretValue) –

Return type:

SnapshotCredentials

classmethod from_secret(secret)

Update the snapshot login with an existing password from a Secret.

The Secret must be a JSON string with a password field:

{
  ...
  "password": <required: password>,
}
Parameters:

secret (ISecret) –

Return type:

SnapshotCredentials