Create an AWS Secrets Manager database secret - AWS Secrets Manager

Create an AWS Secrets Manager database secret

To store credentials for Amazon RDS, Amazon Aurora, Amazon Redshift, or Amazon DocumentDB, follow these steps. When you use the AWS CLI or one of the SDKs to store the secret, you must provide the secret in the JSON structure of a database secret. When you use the console to store a database secret, Secrets Manager automatically creates it in the correct JSON structure.

When you store database credentials for a source database that is replicated to other Regions, the secret contains connection information for the source database. If you then replicate the secret, the replicas are copies of the source secret and contain the same connection information. You can add additional key/value pairs to the secret for regional connection information.

To create a secret, you need the permissions granted by the SecretsManagerReadWrite AWS managed policy.

To create a secret (console)

  1. Open the Secrets Manager console at https://console.aws.amazon.com/secretsmanager/.

  2. Choose Store a new secret.

  3. On the Choose secret type page, do the following:

    1. For Secret type, choose the type of database credentials to store:

      • Amazon RDS database (includes Aurora)

      • Amazon DocumentDB database

      • Amazon Redshift cluster

    2. For Credentials, enter the credentials for the database.

    3. For Encryption key, choose the AWS KMS key that Secrets Manager uses to encrypt the secret value:

      • For most cases, choose aws/secretsmanager to use the AWS managed key for Secrets Manager. There is no cost for using this key.

      • If you need to access the secret from another AWS account, or if you want to use your own KMS key so that you can rotate it or apply a key policy to it, choose a customer managed key from the list or choose Add new key to create one. You will be charged for KMS keys that you create.

        You must have the following permissions to the key: kms:Encrypt, kms:Decrypt, and kms:GenerateDataKey. For more information about cross-account access, see Permissions to AWS Secrets Manager secrets for users in a different account.

    4. For Database, choose your database.

    5. Choose Next.

  4. On the Configure secret page, do the following:

    1. Enter a descriptive Secret name and Description. Secret names must contain 1-512 Unicode characters.

    2. (Optional) In the Tags section, add tags to your secret. For tagging strategies, see Tag AWS Secrets Manager secrets. Don't store sensitive information in tags because they aren't encrypted.

    3. (Optional) In Resource permissions, to add a resource policy to your secret, choose Edit permissions. For more information, see Attach a permissions policy to an AWS Secrets Manager secret.

    4. (Optional) In Replicate secret, to replicate your secret to another AWS Region, choose Replicate secret. You can replicate your secret now or come back and replicate it later. For more information, see Replicate a secret to other Regions.

    5. Choose Next.

  5. (Optional) On the Configure rotation page, you can turn on automatic rotation. You can also keep rotation off for now and then turn it on later. For more information, see Rotate secrets. Choose Next.

  6. On the Review page, review your secret details, and then choose Store.

    Secrets Manager returns to the list of secrets. If your new secret doesn't appear, choose the refresh button.

AWS CLI

To create a secret by using the AWS CLI, first create a JSON file that contains your secret. For Secrets Manager to be able to rotate the secret, you must make sure the JSON matches the JSON structure of a database secret. For more information, see Set up automatic rotation for Amazon RDS, Amazon Redshift, or Amazon DocumentDB secrets using the console.

Then use the create-secret operation to store the secret in Secrets Manager.

To create a secret

  1. Create your secret in a file, for example a JSON file named mycreds.json.

    { "engine": "mysql", "host": "<instance host name/resolvable DNS name>", "username": "<username>", "password": "<password>", "dbname": "<database name. If not specified, defaults to None>", "port": "<TCP port number. If not specified, defaults to 3306>" }
  2. In the AWS CLI, use the following command.

    $ aws secretsmanager create-secret --name MySecret --secret-string file://mycreds.json

    The following shows the output.

    { "SecretARN": "arn:aws:secretsmanager:Region:AccountId:secret:MySecret-a1b2c3", "SecretName": "MySecret", "SecretVersionId": "EXAMPLE1-90ab-cdef-fedc-ba987EXAMPLE" }

AWS SDK

To create a secret by using one of the AWS SDKs, use the CreateSecret action. For more information, see AWS SDKs.