Configuring primary and replica secrets - AWS Secrets Manager

Configuring primary and replica secrets

Before you can configure multi-Region secrets, you must enable the regions where you want to set up the replica secrets. For more information, see Managing AWS Regions.

Minimum permissions

To create a secret in the console, you must have these permissions:

  • The permissions granted by the SecretsManagerReadWrite AWS managed policy.

  • The permissions granted by the IAMFullAccess AWS managed policy – required only if you enable rotation for the secret.

  • kms:CreateKey – required only if you want Secrets Manager to create a AWS KMS customer master key (CMK).

  • kms:Encrypt – required only if you use a custom AWS KMS key to encrypt your secret instead of the default Secrets Manager CMK for your account. You don't need this permission to use the account default AWS managed CMK for Secrets Manager.

  • kms:Decrypt – required only if you use a created AWS KMS key to encrypt your secret instead of the default Secrets Manager CMK for your account. You don't need this permission to use the account default AWS managed CMK for Secrets Manager.

  • kms:GenerateDataKey – required only if you use a custom AWS KMS key to encrypt your secret instead of the default Secrets Manager CMK for your account. You don't need this permission to use the account default AWS managed CMK for Secrets Manager.

Using the Secrets Manager console
  1. Log in to the Secrets Manager at https://console.aws.amazon.com/secretsmanager/.

  2. Choose Store a new secret.

  3. Choose the secret type.

  4. Enter the appropriate credentials for the secret type.

  5. Choose DefaultEncryptionKey from the Select the encryption key list.

  6. Choose the database instance if you selected a database secret.

  7. Choose Next.

  8. Enter a name for the secret in Secret name.

  9. (Optional) Enter a description, up to 250 characters, in the Description field.

  10. (Optional) Enter tags as a Key and a Value - optional.

  11. Under Replicate Secret - optional, choose Replicate secret to other regions.

  12. From the AWS Region list, select the Region or Regions to replicate the secret. You can add multiple Regions during this step.

  13. From the Encryption Key list, choose the key used to encrypt the secret. You can choose the default encryption key or a regional CMK.

  14. To add more Regions, choose Add more Regions and choose additional Regions and encryption keys.

    You must enable a Region before you can select it from the list.

  15. Choose Next.

  16. Choose Disable rotation.

    You can replicate a primary secret without configuring rotation for it.

    If you want to rotate the secret, choose Enable Rotation and add the appropriate information for rotating the secret.

  17. Choose Next.

  18. Review the settings. You have enabled Secret Replication, and can view the list of Replica Region and the Encryption Key assigned to each Replica Region.

  19. Choose Create Secret.

After you create the secret, you can view your secrets on the Secrets page. A banner at the top of the console indicates if you successfully created the secret.

If replication fails, Secrets Manager displays a red banner with the failure reason. Choose View Details. See Retrying Replication for more information.

Using the AWS CLI or AWS SDK operations

You use the following commands to create a secret and configure a replica secret:

An example of an AWS CLI command to perform the equivalent of the console-based secret replica configuration. This command assumes you create the secret in US West (Oregon) and want to replicate it to US East (N. Virginia).

$ aws secretsmanager create-secret --name production/DBWest --add-replica-regions kmskeyid 1234abcd-12ab-34cd-56ef-1234567890ab region us-east-1

If the replication fails, see Retrying Replication for more information.