You can create a dynamic ApsaraDB RDS secret that is automatically rotated on a regular basis. This way, the risks of data leaks can be reduced. This topic shows you how to create a dynamic ApsaraDB RDS secret, delete a dynamic ApsaraDB RDS secret, and restore a dynamic ApsaraDB RDS secret that is scheduled to delete in the Key Management Service (KMS) console.

Prerequisites

  • An ApsaraDB RDS instance is created. For more information, see Create an ApsaraDB RDS for MySQL instance.
  • If a RAM user or RAM role is used to manage secrets, the system policy AliyunKMSSecretAdminAccess is attached to the RAM user or RAM role. This policy grants the following permissions to the RAM user or RAM role:
    • The permission to use the features of Secrets Manager.
    • The permissions to query ApsaraDB RDS instances and manage accounts.
    • The permission to create the service-linked role used by managed ApsaraDB RDS secrets.

Create a dynamic ApsaraDB RDS secret

  1. Log on to the KMS console.
  2. In the upper-left corner of the page, select the region in which you want to create a secret.
  3. In the left-side navigation pane, click Secrets.
  4. Click Create Secret.
  5. In the Create Secret dialog box, set the parameters and click Next.
    • Select Type: Select Managed Credential for RDS.
    • Secret name: Enter the name of the secret.
    • Select RDS Instance: Select an existing ApsaraDB RDS instance within your Alibaba Cloud account.
    • Set Secret Value: Select the mode in which the secret is managed and configure the secret value.
      • Manage Dual Account (recommended): This mode applies to the scenario in which the secret is used by applications to access the ApsaraDB RDS instance. In this mode, KMS manages two accounts that have the identical permissions. This mode ensures that the connections between applications and the ApsaraDB RDS instance are not interrupted when the secret is rotated.
        • Click the One-click creation and authorization tab, specify an account prefix, select a database, and then specify the permissions.
          Note KMS does not immediately create the accounts. KMS creates the accounts after you review and confirm the secret information.
        • Click the Import existing accounts tab, select accounts, and then specify passwords of the accounts.
          Note We recommend that you specify the same passwords as those you specified for the accounts when you created the ApsaraDB RDS instance. If an imported account and the specified password do not match, KMS obtains the correct password of the account after the secret is rotated for the first time.
      • Manage Single Account: This mode applies to the scenario in which a high-privileged account or a manual O&M account is managed. In this mode, the current version of the secret may be temporarily unavailable when the secret is rotated.
        • Click the One-click creation and authorization tab, specify an account prefix, and then select an account type.

          You can select Common Account or High Authority Account as the account type. If you select Common Account, you also need to select a database and specify the permissions of the account.

        • Click the Import existing accounts tab, select an account, and then specify the password of the account.
    • Secret Description: Enter the description of the secret.
  6. In the Configuration rotation step, select Turn on automatic rotation, set the Rotation Period parameter, and then click Next.
    Note If you do not need to automatically rotate the ApsaraDB RDS secret, select Turn off automatic rotation.
  7. In the Review and confirm step, check the configuration of the secret and click OK.

Delete a dynamic ApsaraDB RDS secret

Before you delete a dynamic ApsaraDB RDS secret, make sure that the dynamic ApsaraDB RDS secret is not in use.

You can schedule a dynamic ApsaraDB RDS secret to be deleted or immediately delete a dynamic ApsaraDB RDS secret.

  1. Find the dynamic ApsaraDB RDS secret that you want to delete and choose More > Plan Deletion Secret in the Actions column.
  2. In the Delete Secret dialog box, select a method to delete the secret, and click OK.
    • Select Plan Deletion Secret and set the Delete In (7-30 days) parameter. The system deletes the secret after the specified number of days.

      Before the system deletes the secret, you can restore the secret to cancel deletion. For more information, see Restore a dynamic ApsaraDB RDS secret.

    • Select Delete Secret Immediately. The system immediately deletes the secret.

Restore a dynamic ApsaraDB RDS secret

After you schedule a dynamic ApsaraDB RDS secret to be deleted and before the system deletes the secret, you can restore the secret to cancel deletion. After the dynamic ApsaraDB RDS secret is restored, it can be used as normal.

  1. Find the dynamic ApsaraDB RDS secret that you want to restore and choose More > Restore Secret in the Actions column.
  2. In the Restore Secret message, click OK.