JSON structure of AWS Secrets Manager secrets
You can store any text or binary in Secrets Manager secrets. If you want to turn on automatic rotation for a Secrets Manager secret, it must be in the correct JSON structure. During rotation, Secrets Manager uses the information in the secret to connect to the credential source and update the credentials there. The JSON key names are case-sensitive.
Note that when you use the console to store a database secret, Secrets Manager automatically creates it in the correct JSON structure.
You can add more key/value pairs to a secret, for example in a database secret, to contain connection information for replica databases in other Regions.
Topics
- Amazon RDS Db2 secret structure
- Amazon RDS MariaDB secret structure
- Amazon RDS and Amazon Aurora MySQL secret structure
- Amazon RDS Oracle secret structure
- Amazon RDS and Amazon Aurora PostgreSQL secret structure
- Amazon RDS Microsoft SQLServer secret structure
- Amazon DocumentDB secret structure
- Amazon Redshift secret structure
- Amazon Redshift Serverless secret structure
- Amazon ElastiCache secret structure
Amazon RDS Db2 secret structure
For Amazon RDS Db2 instances, because users can't change their own passwords, you must provide admin credentials in a separate secret.
{ "engine": "db2", "host": "<instance host name/resolvable DNS name>", "username": "<username>", "password": "<password>", "dbname": "<database name. If not specified, defaults to None>", "port":<TCP port number. If not specified, defaults to 3306>, "masterarn": "<the ARN of the elevated secret>" }
Amazon RDS MariaDB secret structure
{ "engine": "mariadb", "host": "<instance host name/resolvable DNS name>", "username": "<username>", "password": "<password>", "dbname": "<database name. If not specified, defaults to None>", "port":<TCP port number. If not specified, defaults to 3306>}
To use the Rotation strategy: alternating users, you include the masterarn for the secret that contains admin or superuser credentials.
{ "engine": "mariadb", "host": "<instance host name/resolvable DNS name>", "username": "<username>", "password": "<password>", "dbname": "<database name. If not specified, defaults to None>", "port":<TCP port number. If not specified, defaults to 3306>, "masterarn": "<the ARN of the elevated secret>" }
Amazon RDS and Amazon Aurora MySQL secret structure
{ "engine": "mysql", "host": "<instance host name/resolvable DNS name>", "username": "<username>", "password": "<password>", "dbname": "<database name. If not specified, defaults to None>", "port":<TCP port number. If not specified, defaults to 3306>}
To use the Rotation strategy: alternating users, you include the masterarn for the secret that contains admin or superuser credentials.
{ "engine": "mysql", "host": "<instance host name/resolvable DNS name>", "username": "<username>", "password": "<password>", "dbname": "<database name. If not specified, defaults to None>", "port":<TCP port number. If not specified, defaults to 3306>, "masterarn": "<the ARN of the elevated secret>" }
Amazon RDS Oracle secret structure
{ "engine": "oracle", "host": "<required: instance host name/resolvable DNS name>", "username": "<required: username>", "password": "<required: password>", "dbname": "<required: database name>", "port":<optional: TCP port number. If not specified, defaults to 1521>}
To use the Rotation strategy: alternating users, you include the masterarn for the secret that contains admin or superuser credentials.
{ "engine": "oracle", "host": "<required: instance host name/resolvable DNS name>", "username": "<required: username>", "password": "<required: password>", "dbname": "<required: database name>", "port":<optional: TCP port number. If not specified, defaults to 1521>, "masterarn": "<the ARN of the elevated secret>" }
Amazon RDS and Amazon Aurora PostgreSQL secret structure
{ "engine": "postgres", "host": "<instance host name/resolvable DNS name>", "username": "<username>", "password": "<password>", "dbname": "<database name. If not specified, defaults to 'postgres'>", "port":<TCP port number. If not specified, defaults to 5432>}
To use the Rotation strategy: alternating users, you include the masterarn for the secret that contains admin or superuser credentials.
{ "engine": "postgres", "host": "<instance host name/resolvable DNS name>", "username": "<username>", "password": "<password>", "dbname": "<database name. If not specified, defaults to 'postgres'>", "port":<TCP port number. If not specified, defaults to 5432>, "masterarn": "<the ARN of the elevated secret>" }
Amazon RDS Microsoft SQLServer secret structure
{ "engine": "sqlserver", "host": "<instance host name/resolvable DNS name>", "username": "<username>", "password": "<password>", "dbname": "<database name. If not specified, defaults to 'master'>", "port":<TCP port number. If not specified, defaults to 1433>}
To use the Rotation strategy: alternating users, you include the masterarn for the secret that contains admin or superuser credentials.
{ "engine": "sqlserver", "host": "<instance host name/resolvable DNS name>", "username": "<username>", "password": "<password>", "dbname": "<database name. If not specified, defaults to 'master'>", "port":<TCP port number. If not specified, defaults to 1433>, "masterarn": "<the ARN of the elevated secret>" }
Amazon DocumentDB secret structure
{ "engine": "mongo", "host": "<instance host name/resolvable DNS name>", "username": "<username>", "password": "<password>", "dbname": "<database name. If not specified, defaults to None>", "port":<TCP port number. If not specified, defaults to 27017>, "ssl":<true|false. If not specified, defaults to false>}
To use the Rotation strategy: alternating users, you include the masterarn for the secret that contains admin or superuser credentials.
{ "engine": "mongo", "host": "<instance host name/resolvable DNS name>", "username": "<username>", "password": "<password>", "dbname": "<database name. If not specified, defaults to None>", "port":<TCP port number. If not specified, defaults to 27017>, "masterarn": "<the ARN of the elevated secret>", "ssl":<true|false. If not specified, defaults to false>}
Amazon Redshift secret structure
{ "engine": "redshift", "host": "<instance host name/resolvable DNS name>", "username": "<username>", "password": "<password>", "dbname": "<database name. If not specified, defaults to None>", "port":<TCP port number. If not specified, defaults to 5439>}
To use the Rotation strategy: alternating users, you include the masterarn for the secret that contains admin or superuser credentials.
{ "engine": "redshift", "host": "<instance host name/resolvable DNS name>", "username": "<username>", "password": "<password>", "dbname": "<database name. If not specified, defaults to None>", "port":<TCP port number. If not specified, defaults to 5439>, "masterarn": "<the ARN of the elevated secret>" }
Amazon Redshift Serverless secret structure
{ "engine": "redshift", "host": "<instance host name/resolvable DNS name>", "username": "<username>", "password": "<password>", "dbname": "<database name. If not specified, defaults to None>", "namespaceName":<namespace name>, "port":<TCP port number. If not specified, defaults to 5439>}
To use the Rotation strategy: alternating users, you include the masterarn for the secret that contains admin or superuser credentials.
{ "engine": "redshift", "host": "<instance host name/resolvable DNS name>", "username": "<username>", "password": "<password>", "dbname": "<database name. If not specified, defaults to None>", "namespaceName":<namespace name>, "port":<TCP port number. If not specified, defaults to 5439>, "masterarn": "<the ARN of the elevated secret>" }
Amazon ElastiCache secret structure
{ "password": "<password>", "username": "<username>" "user_arn": "ARN of the Amazon EC2 user" }
For more information, see Automatically rotating passwords for users in the Amazon ElastiCache User Guide.
