Secrets Manager helps you store, manage, and rotate secrets — such as database passwords, AccessKey pairs, and SSH keys — throughout their time-to-live (TTL) periods. Applications retrieve secrets at runtime via API, eliminating the need to hardcode sensitive values in source code or configuration files.
How it works
The following example shows how an application retrieves database credentials from Secrets Manager:
A system administrator configures a username and password in a database for application MyApp.
The administrator creates a secret MyDbCreds in Secrets Manager to store the username and password.
When MyApp needs to access the database, it sends a request for MyDbCreds to Secrets Manager.
Secrets Manager reads the credentials in ciphertext, decrypts them, and returns the plaintext to MyApp over HTTPS.
MyApp parses the plaintext to get the username and password, then uses them to access the database.
In this flow, MyApp calls a Secrets Manager API to retrieve credentials at runtime. The following figure compares this approach with hardcoding secrets directly in application code.
Features
Secret encryption
Secrets Manager encrypts secrets using customer master keys (CMKs) in Key Management Service (KMS). Specify a CMK, or let Secrets Manager use an independent CMK it generates automatically per account per region.
Dynamic secret retrieval
Applications read secrets dynamically at runtime using Secrets Manager Client, always getting the latest secret. Applications can use secrets in a codeless or low-code way.
Automatic secret rotation
Secrets Manager supports out-of-the-box automatic rotation for supported secret types. For other types, trigger rotation on a custom schedule using Function Compute. Applications are not affected when you manually rotate secrets in a one-off manner.
Access control and audit
Use Resource Access Management (RAM) to control who can access each secret. Use ActionTrail to audit secret operations, including reads and rotations.
Use cases
Database credential management
Store ApsaraDB RDS database account passwords as dynamic secrets and rotate them automatically, without changing application code.
Infrastructure access management
Store and rotate Elastic Compute Service (ECS) instance passwords and SSH keys centrally.
Application secrets at scale
Use API operations and infrastructure-as-code tools such as Terraform and Resource Orchestration Service (ROS) to manage secrets across large environments programmatically.
Get started
Manage secrets
Select the secret type that matches your scenario, then create and configure rotation:
Rotate ApsaraDB RDS database account passwords automatically: Manage dynamic ApsaraDB RDS secrets
Rotate RAM user AccessKey pairs automatically: Manage dynamic RAM secrets
Rotate ECS instance passwords and SSH keys automatically: Manage dynamic ECS secrets
Store and manage generic secrets: Manage generic secrets
Connect an application
Connect your application to Secrets Manager using KMS SDKs, Secrets Manager Client, or the Kubernetes plug-in. Applications retrieve secret values by secret name at runtime. For details, see Connect an application to Secrets Manager.