The attack against databases is one of the main threats to data security. For ApsaraDB RDS, Secrets Manager allows you to configure dynamic ApsaraDB RDS secrets that are automatically rotated on a regular basis. This reduces the security threats faced by business data.


After dynamic ApsaraDB RDS secrets are used, you do not need to configure static passwords of database accounts for your applications. You can create fully managed ApsaraDB RDS secrets and set the automatic rotation period in Secrets Manager. Then, applications call the GetSecretValue operation to obtain the account password to access the managed ApsaraDB RDS database. The password is valid only before the next rotation.



Dynamic ApsaraDB RDS secrets support only the following ApsaraDB RDS databases: ApsaraDB RDS for MySQL, ApsaraDB RDS for MariaDB TX, ApsaraDB RDS for SQL Server except for instances that run SQL Server 2017 EE, and ApsaraDB RDS for PostgreSQL.

Use a dynamic ApsaraDB RDS secret

You can use a dynamic ApsaraDB RDS secret in the following way:

  1. Create a dynamic ApsaraDB RDS secret
  2. Monitor the rotation of dynamic ApsaraDB RDS secrets
  3. Allow applications to access Secrets Manager