JSON structure of AWS Secrets Manager secrets
You can store any text or binary in Secrets Manager secrets. If you want to turn on automatic rotation for a Secrets Manager secret, it must be in the correct JSON structure. During rotation, Secrets Manager uses the information in the secret to connect to the credential source and update the credentials there.
Note that when you use the console to store a database secret, Secrets Manager automatically creates it in the correct JSON structure.
You can add more key/value pairs to a secret, for example in a database secret, to contain connection information for replica databases in other Regions.
Topics
Amazon RDS MariaDB secret structure
{ "engine": "mariadb", "host": "<instance host name/resolvable DNS name>", "username": "<username>", "password": "<password>", "dbname": "<database name. If not specified, defaults to None>", "port": "<TCP port number. If not specified, defaults to 3306>" }
To use the Rotation strategy: alternating users, also include the name-value pair:
"masterarn": "<the ARN of the elevated secret>"
Amazon RDS MySQL secret structure
{ "engine": "mysql", "host": "<instance host name/resolvable DNS name>", "username": "<username>", "password": "<password>", "dbname": "<database name. If not specified, defaults to None>", "port": "<TCP port number. If not specified, defaults to 3306>" }
To use the Rotation strategy: alternating users, also include the name-value pair:
"masterarn": "<the ARN of the elevated secret>"
Amazon RDS Oracle secret structure
{ "engine": "oracle", "host": "<required: instance host name/resolvable DNS name>", "username": "<required: username>", "password": "<required: password>", "dbname": "<required: database name>", "port": "<optional: TCP port number. If not specified, defaults to 1521>" }
To use the Rotation strategy: alternating users, also include the name-value pair:
"masterarn": "<the ARN of the elevated secret>"
Amazon RDS PostgreSQL secret structure
{ "engine": "postgres", "host": "<instance host name/resolvable DNS name>", "username": "<username>", "password": "<password>", "dbname": "<database name. If not specified, defaults to 'postgres'>", "port": "<TCP port number. If not specified, defaults to 5432>" }
To use the Rotation strategy: alternating users, also include the name-value pair:
"masterarn": "<the ARN of the elevated secret>"
Amazon RDS Microsoft SQLServer secret structure
{ "engine": "sqlserver", "host": "<instance host name/resolvable DNS name>", "username": "<username>", "password": "<password>", "dbname": "<database name. If not specified, defaults to 'master'>", "port": "<TCP port number. If not specified, defaults to 1433>" }
To use the Rotation strategy: alternating users, also include the name-value pair:
"masterarn": "<the ARN of the elevated secret>"
Amazon DocumentDB secret structure
{ "engine": "mongo", "host": "<instance host name/resolvable DNS name>", "username": "<username>", "password": "<password>", "dbname": "<database name. If not specified, defaults to None>", "port": "<TCP port number. If not specified, defaults to 27017>" }
To use the Rotation strategy: alternating users, also include the name-value pair:
"masterarn": "<the ARN of the elevated secret>"
Amazon Redshift secret structure
{ "engine": "redshift", "host": "<instance host name/resolvable DNS name>", "username": "<username>", "password": "<password>", "dbname": "<database name. If not specified, defaults to None>", "port": "<TCP port number. If not specified, defaults to 5439>" }
To use the Rotation strategy: alternating users, also include the name-value pair:
"masterarn": "<the ARN of the elevated secret>"
Amazon ElastiCache secret structure
{ "password": "<password>", "username": "<username>" "user_arn": "ARN of the Amazon EC2 user" }
For more information, see Automatically rotating passwords for users in the Amazon ElastiCache User Guide.
