You can create a dynamic ApsaraDB RDS secret that is automatically rotated on a regular basis. This reduces the risks of ApsaraDB RDS secret leaks. This topic describes how to create, delete, and restore a dynamic ApsaraDB RDS secret in the Key Management Service (KMS) console.

Prerequisites

  • An ApsaraDB RDS instance is created. For more information, see Create an ApsaraDB RDS for MySQL instance.
  • If you use a RAM user or a RAM role to manage secrets, you must attach the system policy AliyunKMSSecretAdminAccess to the RAM user or the RAM role. This policy grants the following permissions:
    • The permissions to use the features of Secrets Manager.
    • The permissions to query ApsaraDB RDS instances and manage accounts.
    • The permissions to create the service-linked role that can create managed ApsaraDB RDS secrets.

Create a dynamic ApsaraDB RDS secret

  1. Log on to the KMS console.
  2. In the top navigation bar, select the region in which you want to create a secret.
  3. In the left-side navigation pane, click Secrets.
  4. Click Create Secret.
  5. In the Create Secret dialog box, configure the following parameters and click Next:
    • Select Type: Select Managed Credential for RDS.
    • Secret name: Specify the name of the secret.
    • Select RDS Instance: Select an existing ApsaraDB RDS instance within your Alibaba Cloud account.
    • Set Secret Value: Select the mode in which the secret is managed and configure the secret value.
      • Manage Dual Account: This mode applies to the scenarios in which the secret is used by applications to access the ApsaraDB RDS instance. We recommend that you select this mode. In this mode, KMS manages two accounts that have identical permissions. This mode ensures that the connections between applications and the ApsaraDB RDS instance are not interrupted when the secret is rotated.
        • Click the One-click creation and authorization tab, specify an account name prefix, select a database, and then specify the permissions.
          Note KMS does not immediately create the accounts. KMS creates the accounts after you review and confirm the secret information.
        • Click the Import existing accounts tab, select accounts, and then specify passwords of the accounts.
          Note We recommend that you specify the same passwords as the passwords that you specified for the accounts when you created the ApsaraDB RDS instance. If an imported account and the specified password do not match, you can obtain the valid account and password after the secret is rotated for the first time.
      • Manage Single Account: This mode applies to the scenarios in which a privileged account or a manual O&M account is managed. In this mode, the current version of the secret may be temporarily unavailable when the secret is rotated.
        • Click the One-click creation and authorization tab, specify an account name prefix and select an account type.

          You can select Common Account or High Authority Account as the account type. If you select Common Account, you must select a database and specify the permissions of the account.

        • Click the Import existing accounts tab, select an account, and then specify the password of the account.
    • Secret Description: Enter the description of the secret.
  6. In the Configuration rotation dialog box, select Turn on automatic rotation, configure the Rotation Period parameter, and then click Next.
    Note If you do not want the ApsaraDB RDS secret to be automatically rotated, select Turn off automatic rotation.
  7. In the Review and confirm dialog box, confirm the configurations of the secret and click OK.
  8. In the Created successfully message, click Close.

Delete a dynamic ApsaraDB RDS secret

Before you delete a dynamic ApsaraDB RDS secret, make sure that the dynamic ApsaraDB RDS secret is no longer used.

You can schedule the deletion of a dynamic ApsaraDB RDS secret or immediately delete a dynamic ApsaraDB RDS secret.

  1. Find the dynamic ApsaraDB RDS secret that you want to delete and choose More > Plan Deletion Secret in the Actions column.
  2. In the Delete Secret dialog box, select a method to delete the secret and click OK.
    • If you select Plan Deletion Secret, you must configure the Delete In (7-30 days) parameter. Then, the system deletes the secret after the specified number of days.

      Before the system deletes the secret, you can restore the secret to cancel deletion. For more information, see Restore a dynamic ApsaraDB RDS secret.

    • If you select Delete Secret Immediately, the system immediately deletes the secret.

Restore a dynamic ApsaraDB RDS secret

If you schedule a dynamic ApsaraDB RDS secret to be deleted, you can restore the secret to cancel deletion before the system deletes the secret. After the dynamic ApsaraDB RDS secret is restored, it can be used as normal.

  1. Find the dynamic ApsaraDB RDS secret that you want to restore and choose More > Restore Secret in the Actions column.
  2. In the Restore Secret message, click OK.