JSON structure of AWS Secrets Manager database credential secrets - AWS Secrets Manager

JSON structure of AWS Secrets Manager database credential secrets

If you want to turn on automatic rotation in Secrets Manager for a database credential secret, the secret must be in the correct JSON structure. During rotation, Secrets Manager uses the information in the secret to connect to the database and update the credentials there. When you use the AWS CLI or one of the SDKs to store a secret, you must provide the secret in one of the following structures. When you use the console to store a database secret, Secrets Manager automatically creates it in the correct JSON structure.

You can add more key/value pairs to a database secret, for example to contain connection information for replica databases in other Regions.

Amazon RDS MariaDB secret structure

{ "engine": "mariadb", "host": "<instance host name/resolvable DNS name>", "username": "<username>", "password": "<password>", "dbname": "<database name. If not specified, defaults to None>", "port": "<TCP port number. If not specified, defaults to 3306>" }

To use the Alternating users rotation strategy, also include the name-value pair:

"masterarn": "<the ARN of the elevated secret>"

Amazon RDS MySQL secret structure

{ "engine": "mysql", "host": "<instance host name/resolvable DNS name>", "username": "<username>", "password": "<password>", "dbname": "<database name. If not specified, defaults to None>", "port": "<TCP port number. If not specified, defaults to 3306>" }

To use the Alternating users rotation strategy, also include the name-value pair:

"masterarn": "<the ARN of the elevated secret>"

Amazon RDS Oracle secret structure

{ "engine": "oracle", "host": "<required: instance host name/resolvable DNS name>", "username": "<required: username>", "password": "<required: password>", "dbname": "<required: database name>", "port": "<optional: TCP port number. If not specified, defaults to 1521>" }

To use the Alternating users rotation strategy, also include the name-value pair:

"masterarn": "<the ARN of the elevated secret>"

Amazon RDS PostgreSQL secret structure

{ "engine": "postgres", "host": "<instance host name/resolvable DNS name>", "username": "<username>", "password": "<password>", "dbname": "<database name. If not specified, defaults to 'postgres'>", "port": "<TCP port number. If not specified, defaults to 5432>" }

To use the Alternating users rotation strategy, also include the name-value pair:

"masterarn": "<the ARN of the elevated secret>"

Amazon RDS Microsoft SQLServer secret structure

{ "engine": "sqlserver", "host": "<instance host name/resolvable DNS name>", "username": "<username>", "password": "<password>", "dbname": "<database name. If not specified, defaults to 'master'>", "port": "<TCP port number. If not specified, defaults to 1433>" }

To use the Alternating users rotation strategy, also include the name-value pair:

"masterarn": "<the ARN of the elevated secret>"

Amazon DocumentDB secret structure

{ "engine": "mongo", "host": "<instance host name/resolvable DNS name>", "username": "<username>", "password": "<password>", "dbname": "<database name. If not specified, defaults to None>", "port": "<TCP port number. If not specified, defaults to 27017>" }

To use the Alternating users rotation strategy, also include the name-value pair:

"masterarn": "<the ARN of the elevated secret>"

Amazon Redshift secret structure

{ "engine": "redshift", "host": "<instance host name/resolvable DNS name>", "username": "<username>", "password": "<password>", "dbname": "<database name. If not specified, defaults to None>", "port": "<TCP port number. If not specified, defaults to 5439>" }

To use the Alternating users rotation strategy, also include the name-value pair:

"masterarn": "<the ARN of the elevated secret>"