Managing Amazon Redshift admin passwords using AWS Secrets Manager - Amazon Redshift
Permissions required for AWS Secrets Manager integrationRotating the admin password secretRetrieving the secret’s Amazon Resource Name (ARN) in Amazon Redshift Creating a secret for database connection credentialsConsiderations using AWS Secrets Manager with Amazon Redshift

Managing Amazon Redshift admin passwords using AWS Secrets Manager

Amazon Redshift can integrate with AWS Secrets Manager to generate and manage your admin credentials inside an encrypted secret. With AWS Secrets Manager, you can replace your admin passwords with an API call to programmatically retrieve the secret when it’s needed. Using secrets instead of hard-coded credentials reduces the risk of those credentials being exposed or compromised. For more information about AWS Secrets Manager, see the AWS Secrets Manager User Guide.

You can specify that Amazon Redshift manages your admin password using AWS Secrets Manager when you perform one of the following operations:

  • Creating a provisioned cluster or serverless namespace

  • Restoring a cluster or serverless namespace from a snapshot

When you specify that Amazon Redshift manages the admin password in AWS Secrets Manager, Amazon Redshift generates the password and stores it in Secrets Manager. You can access the secret directly in AWS Secrets Manager to retrieve the credentials for the admin user. Optionally, you can specify a customer managed key to encrypt the secret if you need to access the secret from another AWS account. You can also use the KMS key that AWS Secrets Manager provides.

Amazon Redshift manages the settings for the secret and rotates the secret every 30 days by default. You can manually rotate the secret at any time. If you delete a provisioned cluster or serverless namespace that manages a secret in AWS Secrets Manager, the secret and its associated metadata are also deleted.

To connect to a cluster or serverless namespace with secret-managed credentials, you can retrieve the secret from AWS Secrets Manager using the Secrets Manager console or the GetSecretValue Secrets Manager API call. For more information, see Retrieve secrets from AWS Secrets Manager and Connect to a SQL database with credentials in an AWS Secrets Manager secret in the AWS Secrets Manager User Guide.

Permissions required for AWS Secrets Manager integration

Users must have the required permissions to perform operations related to AWS Secrets Manager integration. Create IAM policies that grant permissions to perform specific API operations on the specified resources they need. Then attach those policies to the IAM permission sets or roles that require those permissions. For more information, see Identity and access management in Amazon Redshift.

The user who specifies that Amazon Redshift manages the admin password in AWS Secrets Manager must have permissions to perform the following operations:

  • secretsmanager:CreateSecret

  • secretsmanager:RotateSecret

  • secretsmanager:DescribeSecret

  • secretsmanager:UpdateSecret

  • secretsmanager:DeleteSecret

  • secretsmanager:GetRandomPassword

  • secretsmanager:TagResource

If the user wants to pass a KMS key in the MasterPasswordSecretKmsKeyId parameter for provisioned clusters, or the AdminPasswordSecretKmsKeyId parameter for serverless namespaces, they require the following permissions in addition to the permissions listed above.

  • kms:Decrypt

  • kms:GenerateDataKey

  • kms:CreateGrant

  • kms:RetireGrant

Rotating the admin password secret

By default, Amazon Redshift automatically rotates your secret every 30 days to ensure your credentials don’t stay the same for prolonged periods. When Amazon Redshift rotates an admin password secret, AWS Secrets Manager updates the existing secret to contain a new admin password. Amazon Redshift changes the admin password for the cluster to match the password in the updated secret.

You can rotate a secret immediately instead of waiting for a scheduled rotation by using AWS Secrets Manager. For more information on rotating secrets, see Rotate AWS Secrets Manager secrets in the AWS Secrets Manager User Guide.

Retrieving the secret’s Amazon Resource Name (ARN) in Amazon Redshift

You can view the Amazon Resource Name (ARN) for any secrets being managed by AWS Secrets Manager using the Amazon Redshift console. Once you have the secret’s ARN, you can view details about your secret and the encrypted data in your secret using AWS Secrets Manager. For more information on retrieving secrets using the ARN, see Retrieve secrets in the AWS Secrets Manager User Guide.

Viewing the details about a secret for an Amazon Redshift provisioned cluster

View the Amazon Resource Name (ARN) for your cluster's secret using the Amazon Redshift console with the following procedure:

  1. Sign in to the AWS Management Console and open the Amazon Redshift console.

  2. In the Cluster overview pane, choose the cluster whose secret you want to view.

  3. Choose the Properties tab.

  4. View the secret's ARN under Admin credentials ARN. This ARN is the identifier for the secret, which you can use in AWS Secrets Manager to view the secret's details.

Viewing the details about a secret for an Amazon Redshift Serverless namespace

View the Amazon Resource Name (ARN) for your serverless namespace's secret using the Amazon Redshift console with the following procedure:

  1. Sign in to the AWS Management Console and open the Amazon Redshift console.

  2. From the Provisioned clusters dashboard, choose Go to Serverless in the upper right of the page.

  3. From the Serverless dashboard, scroll to the Namespaces / Workgroups pane and choose the namespace whose secret you want to view.

  4. In the General information pane, view the secret's ARN under Admin credentials ARN. This ARN is the identifier for the secret, which you can use in AWS Secrets Manager to view the secret's details.

Creating a secret for database connection credentials

You can create a Secrets Manager secret to store credentials used to connect to an Amazon Redshift provisioned cluster or Redshift Serverless namespace and workgroup. You can also use this secret when scheduling a query in Amazon Redshift query editor v2.

To create a secret for a database in an Amazon Redshift provisioned cluster using the Secrets Manager console

  1. Open the Secrets Manager console (https://console.aws.amazon.com/secretsmanager/).

  2. Navigate to the list of Secrets and choose Store a new secret.

  3. Choose Credentials for Amazon Redshift data warehouse. Enter your information in the steps to create a secret as follows:

    • In Credentials for User name, enter the name of the administrative user of the data warehouse.

    • In Credentials for Password, enter the password for the User name.

    • For Encryption key, choose your encryption key.

    • For Data warehouse, choose the Amazon Redshift provisioned cluster that contains your data.

    • For Secret name, enter a name for the secret.

    • For Description, enter a description of the secret.

    • For Tags, enter a Tag key with the word Redshift. This tag key is needed to list secrets when you attempt to connect to your data warehouse using Amazon Redshift query editor v2. The secret must have a tag key that starts with the string Redshift for the secret to be listed under AWS Secrets Manager on the management console.

  4. Continue entering information about your secret through several steps until you Store your changes on the Review step.

    The specific values of your credentials, engine, host, port, and cluster identifier are stored in the secret. Also, the secret is tagged with the tag key Redshift.

To create a secret for a database in a Redshift Serverless namespace using the Redshift Serverless console

  1. Sign in to the AWS Management Console and open the Amazon Redshift console at https://console.aws.amazon.com/redshiftv2/.

  2. Choose Redshift serverless and navigate to Namespace configuration.

  3. Choose a namespace for which to create secret credentials.

  4. Open Actions, Edit admin credentials.

  5. For Admin password, choose Manage admin credentials in AWS Secrets Manager.

  6. Choose Save changes to save your changes.

Confirm that a message appears that the password successfully changed. You can also view the secret in the Secrets Manager console. You can use this secret to connect to a database in a workgroup in the Redshift Serverless console and Amazon Redshift query editor v2, using the AWS Secrets Manager connection method. The secret must have a tag key that starts with the string "Redshift" for the secret to be listed on the query editor v2 web application. The secret must have a tag key that starts with the string Redshift for the secret to be listed under AWS Secrets Manager on the management console.

To create a secret for a database in a Redshift Serverless namespace using the Secrets Manager console

  1. Open the Secrets Manager console (https://console.aws.amazon.com/secretsmanager/).

  2. Navigate to the list of Secrets and choose Store a new secret.

  3. Choose Credentials for Amazon Redshift data warehouse. Enter your information in the steps to create a secret as follows:

    • In Credentials for User name, enter the name of the administrative user of the data warehouse.

    • In Credentials for Password, enter the password for the User name.

    • For Encryption key, choose your encryption key.

    • For Data warehouse, choose the Redshift Serverless namespace that contains your data.

    • For Secret name, enter a name for the secret.

    • For Description, enter a description of the secret.

    • For Tags, enter a Tag key with the word Redshift. This tag key is needed to list secrets when you attempt to connect to your data warehouse using Amazon Redshift query editor v2. The secret must have a tag key that starts with the string Redshift for the secret to be listed under AWS Secrets Manager on the management console.

  4. Continue entering information about your secret through several steps until you Store your changes on the Review step.

    The specific values of your credentials, database name, host, port, namespace, and engine are stored in the secret. Also, the secret is tagged with the tag key Redshift.

To create a secret for a database in a Redshift Serverless namespace using the AWS CLI

You can use the AWS CLI to create a secret. One method is to use AWS CloudShell to run the Secrets Manager AWS CLI command as follows. You must have the proper permissions to run the AWS CLI commands shown in the following procedure.

  1. On the AWS console, open the AWS CloudShell command prompt. For more information about AWS CloudShell, see What is AWS CloudShell in the AWS CloudShell User Guide.

  2. For example, for the secret MyTestSecret enter an Secrets Manager command to store the secret that is used to connect to a database or schedule an Amazon Redshift query editor v2 query. Replace the following values in the command with values for your environment:

    • admin is the administrator user name for the data warehouse.

    • passw0rd is the password of the administrator.

    • dev is the initial database name in the data warehouse.

    • region is the AWS Region that contains the data warehouse. For example us-east-1.

    • 123456789012 is the AWS account.

    • namespace-id is the namespace identifier similar to c3928f0e-c889-4d2b-97a5-5738324d5d3e. You can find this identifier on the Amazon Redshift console details page for the serverless namespace.

    aws secretsmanager create-secret \
--name MyTestSecret \
--description "My test secret created with the CLI." \
--secret-string "{\"username\":\"admin\",\"password\":\"passw0rd\",\"dbname\":\"dev\",\"engine\":\"redshift\"}" \
--tags "[{\"Key\":\"redshift-serverless:namespaceArn\",\"Value\":\"arn:aws:redshift-serverless:region:123456789012:namespace/namespace-id\"}]"

Considerations using AWS Secrets Manager with Amazon Redshift

When using AWS Secrets Manager to manage your provisioned cluster or serverless namespace’s admin credentials, consider the following:

  • When you pause a cluster whose admin credentials are managed by AWS Secrets Manager, your cluster's secret won't be deleted and you'll continue to be billed for the secret. Secrets are only deleted when you delete the cluster.

  • If your cluster is paused when Amazon Redshift attempts to rotate its attached secret, the rotation will fail. In this case, Amazon Redshift stops auto-rotation and won’t try to rotate it again, even after you resume the cluster. You must restart the auto-rotation schedule using the secretsmanager:RotateSecret API call to continue having AWS Secrets Manager automatically rotate your secret.

  • If your serverless namespace doesn’t have a workgroup associated when Amazon Redshift attempts to rotate its attached secret, the rotation will fail and won’t try to rotate it again, even after you attach a workgroup. You must restart the auto-rotation schedule using the secretsmanager:RotateSecret API call to continue having AWS Secrets Manager automatically rotate your secret.