How to create and use ApsaraDB RDS secrets - Key Management Service

Database attacks are one of the major threats to data security. You can use Secrets Manager to manage ApsaraDB RDS secrets. Secrets Manager supports periodic rotation and immediate rotation of secrets that are managed in Secrets Manager. This helps reduce the risk of secret leaks. This topic describes how to manage and use ApsaraDB RDS secrets.

Overview

If you use ApsaraDB RDS secrets, you do not need to configure static passwords of database accounts in your applications. After you create an ApsaraDB RDS secret in Secrets Manager, your application can call the GetSecretValue operation to retrieve the username and password that are stored in the ApsaraDB RDS secret and use the username and password to access your ApsaraDB RDS instance.

Important

After an ApsaraDB RDS secret is rotated, the username and password of the ApsaraDB RDS instance for which the secret is created are also updated. If you delete an ApsaraDB RDS instance that is associated with a secret, the secret rotation may fail. We recommend that you do not delete the ApsaraDB RDS instance that is associated with a secret.

Limits

Secrets Manager supports the following types of ApsaraDB RDS instances: ApsaraDB RDS for MySQL, ApsaraDB RDS for MariaDB, ApsaraDB RDS for SQL Server, and ApsaraDB RDS for PostgreSQL. Secrets Manager does not support ApsaraDB RDS for SQL Server instances that run SQL Server 2017 EE.

Prerequisites

A KMS instance is created and enabled. For more information, see Purchase and enable a KMS instance.
A key is created. For more information, see Getting started with keys.
An ApsaraDB RDS instance is created. For more information, see Create an ApsaraDB RDS for MySQL instance.
If you use a RAM user or a RAM role to manage ApsaraDB RDS secrets, the AliyunKMSSecretAdminAccess system policy is attached to the RAM user or the RAM role. For more information, see Grant permissions to a RAM user or Grant permissions to a RAM role.

Step 1: Create an ApsaraDB RDS secret

When you create a secret, you can configure automatic rotation for the secret. This helps reduce the risk of secret leaks.

Log on to the KMS console. In the top navigation bar, select the required region. In the left-side navigation pane, click Secrets.

Click the ApsaraDB RDS Secrets tab, select the required instance ID from the Instance ID drop-down list, and then click Create Secret. Then, configure the parameters and click OK.

Parameter	Description
Secret Name	The name of the secret.
RDS Instance	The existing ApsaraDB RDS instance that you want to manage within your Alibaba Cloud account.
Secret Value	The value cannot exceed 30,720 bytes in length, which is equivalent to 30 KB in size. Manage Dual Accounts (recommended): This mode applies to the scenarios in which the secret is used by applications to access the ApsaraDB RDS instance. In this mode, KMS manages two accounts that have identical permissions. This mode ensures that the connections between applications and the ApsaraDB RDS instance are not interrupted when the secret is rotated. Click the Create and Authorize Account tab, specify a username prefix, select a database, and then specify the permissions. Note KMS does not immediately create the accounts. KMS creates the accounts after you review and confirm the secret information. Click the Import Existing Accounts tab, select usernames, and then specify passwords for the usernames. Note We recommend that you specify the same passwords as the passwords that you specified for the accounts when you created the ApsaraDB RDS instance. If a username and the specified password do not match, you can retrieve the valid username and password the first time the secret is rotated. Manage Single Account: This mode applies to the scenarios in which a privileged account or a manual O&M account is managed. In this mode, the current version of the secret may be temporarily unavailable when the secret is rotated. Click the Create and Authorize Account tab, specify a username prefix, and then select an account type. You can select Standard Account or Privileged Account for the Account Type parameter. If you select Standard Account, you must select a database and specify the permissions of the account. Click the Import Existing Accounts tab, select a username, and then specify a password for the username.
CMK	The key that is used to encrypt the secret. Important Your key and secret must belong to the same KMS instance. The key must be a symmetric key. For more information about the symmetric keys supported by KMS, see Key types and specifications.
Tag	The tag that you want to add to the secret. You can use tags to classify and manage secrets. A tag consists of a key-value pair. Note A tag key or a tag value can be up to 128 characters in length and can contain letters, digits, forward slashes (/), backslashes (\), underscores (_), hyphens (-), periods (.), plus signs (+), equal sign (=), colons (:), and at signs (@). A tag key cannot start with aliyun or acs:. You can configure up to 20 key-value pairs for each secret.
Automatic Rotation	Specifies whether to enable automatic secret rotation.
Rotation Period	The interval of automatic secret rotation. This setting is required only when you select Enable Automatic Rotation. The value ranges from 6 hours to 365 days. KMS periodically updates the secret based on the value of this parameter.
Description	The description of the secret.
Advanced Settings	The policy settings of the secret. Default Policy: If the secret is used by the current Alibaba Cloud account or the Alibaba Cloud account in a resource share, select Default Policy. If the KMS instance is not shared with other accounts, only the current Alibaba Cloud account can manage and use the secret. If the KMS instance is shared with other accounts, the supported operations vary. For example, an instance named KMS Instance A is shared with Alibaba Cloud Account 2 by using Alibaba Cloud Account 1. Secrets created by Alibaba Cloud Account 1: Only Alibaba Cloud Account 1 can manage and use the secrets. Secrets created by Alibaba Cloud Account 2: Both Alibaba Cloud Account 1 and Alibaba Cloud Account 2 can manage and use the secrets. Custom Policy: If you want to grant permissions to a Resource Access Management (RAM) user, RAM role, or other accounts to use the secret, select Custom Policy. Important Administrators and users do not consume Access Management Quota. Cross-account users consume Access Management Quota of the KMS instance. The consumed quota is calculated based on the number of Alibaba Cloud accounts. If you revoke the permissions, wait approximately 5 minutes and then query the quota. The consumed quota is restored. When you use a secret, you must have the permission to use the required key to decrypt the secret. An administrator can manage the secret but cannot retrieve the secret value. You can select RAM users and RAM roles within the current Alibaba Cloud account. Permissions supported by administrators `{ "Statement": [ { "Action": [ "kms:List", "kms:Describe", "kms:PutSecretValue", "kms:Update", "kms:DeleteSecret", "kms:RestoreSecret", "kms:RotateSecret", "kms:TagResource", "kms:UntagResource" ] } ] }` A user can retrieve the secret value. You can select RAM users and RAM roles within the current Alibaba Cloud account. Permissions supported by users* `{ "Statement": [ { "Action": [ "kms:List", "kms:Describe", "kms:GetSecretValue", ] } ] }` A cross-account user can retrieve the secret value. You can select RAM users and RAM roles within other Alibaba Cloud accounts. RAM user: The name of the RAM user is in the `acs:ram::<userId>:user/<ramuser>` format. Example: `aacs:ram::119285303511**:user/testpolicyuser`. RAM role: The name of the RAM role is in the `acs:ram::<userId>:role/<ramrole>` format. Example: `acs:ram::119285303511:role/testpolicyrole`. Note After you grant permissions to a RAM user or RAM role, you must use the Alibaba Cloud account of the RAM user or RAM role to authorize the RAM user or RAM role to use the secret in RAM. Then, the RAM user or RAM role can use the secret. For more information, see Use RAM to manage access to KMS resources, Grant permissions to a RAM user, and Grant permissions to a RAM role. Permissions supported by cross-account users** `{ "Statement": [ { "Action": [ "kms:List", "kms:Describe", "kms:GetSecretValue", ] } ] }`

Note

When you create an ApsaraDB RDS secret, the system automatically creates the AliyunServiceRoleForKMSSecretsManagerForRDS service-linked role and attaches the AliyunServiceRolePolicyForKMSSecretsManagerForRDS policy to the role. Secrets Manager assumes the role to manage dynamic ApsaraDB RDS secrets, such as rotating the usernames and passwords of ApsaraDB RDS instances.

You can log on to the RAM console to view the details of service-linked roles and policies. For more information, see View the information about a RAM role and View the basic information about a policy.

Step 2: Install Secrets Manager JDBC in your application

Secrets Manager JDBC is developed based on Secrets Manager API and encapsulates business logic, best practices, and design patterns. Your application can use an ApsaraDB RDS secret that is hosted in Secrets Manager to implement identity authentication when database connections are established. After a connection is established, your application can access the required databases by using JDBC API. For more information, see Secret JDBC client.

What to do next

Rotate an ApsaraDB RDS secret

You can configure automatic rotation for a secret to reduce the risk of secret leaks. If a secret is leaked, you can immediately rotate the secret in the KMS console to eliminate intrusion risks.

Log on to the KMS console. In the top navigation bar, select the required region. In the left-side navigation pane, click Secrets.
Click the ApsaraDB RDS Secrets tab, select the required instance ID from the Instance ID drop-down list, find the secret that you want to rotate, and then click Details in the Actions column.
Configure a secret rotation policy.
- Periodic rotation: In the upper-right corner of the page, click Configure Rotation Policy, enable or disable Automatic Rotation, and then click OK.
- Immediate rotation: In the upper-right corner of the page, click Rotate Now. Then, confirm the information and click OK.

Delete an ApsaraDB RDS secret

Warning

Before you delete a RDS secret, make sure that the RDS secret is no longer in use. If you delete a RDS secret that is in use, service failures may occur.

You can immediately delete a secret or create a scheduled task to delete a secret. If you delete an ApsaraDB RDS secret, the ApsaraDB RDS secret is deleted only from Secrets Manager. The username and password of the secret are not deleted in ApsaraDB RDS.

Log on to the KMS console. In the top navigation bar, select the required region. In the left-side navigation pane, click Secrets.
Click the ApsaraDB RDS Secrets tab, select the required instance ID from the Instance ID drop-down list, find the secret that you want to delete, and then click Schedule Deletion in the Actions column.
In the Schedule Deletion dialog box, select a method to delete the secret and click OK.
- If you select Schedule Deletion, configure Retention Period (7 to 30 Days). When the scheduled deletion period ends, KMS deletes the secret.
- If you select Delete Immediately, the system immediately deletes the secret.
During the scheduled deletion period, you can click Restore Secret in the Actions column to cancel the deletion.

Add tags to secrets

You can use tags to classify and manage secrets. A tag consists of a key-value pair.

Note

A tag key or a tag value can be up to 128 characters in length and can contain letters, digits, forward slashes (/), backslashes (\), underscores (_), hyphens (-), periods (.), plus signs (+), equal sign (=), colons (:), and at signs (@).
A tag key cannot start with aliyun or acs:.
You can configure up to 20 key-value pairs for each secret.

Add tags for a secret

Method	Description
Method 1: Add tags on the Secrets page	Log on to the KMS console. In the top navigation bar, select the required region. In the left-side navigation pane, click Secrets. Click a tab based on the type of your secret, select the required instance ID from the Instance ID drop-down list, find the secret to which you want to add tags, and then click the icon in the Tag column. Click Add. In the Edit Tag dialog box, enter multiple Tag Key and Tag Value, and then click OK. In the message that appears, click Close. In the Edit Tag dialog box, you can change the tag values and remove multiple tags at a time.
Method 2: Add tags on the Secret Details page	Log on to the KMS console. In the top navigation bar, select the required region. In the left-side navigation pane, click Secrets. Click a tab based on the type of your secret, select the required instance ID from the Instance ID drop-down list, find the secret to which you want to add tags, and then click Details in the Actions column. On the secret details page, click the icon next to Tag. In the Edit Tag dialog box, enter multiple Tag Key and Tag Value and then click OK. In the message that appears, click Close. In the Edit Tag dialog box, you can change the tag values and remove multiple tags at a time.

Configure tags for multiple secrets at a time

Log on to the KMS console. In the top navigation bar, select the required region. In the left-side navigation pane, click Secrets.
Click a tab based on the type of your secret, select the required instance ID from the Instance ID drop-down list, and then select the secrets that you want to manage in the secret list.
- Add tags: In the lower part of the secret list, click Add Tag. In the Add Tag dialog box, enter multiple Tag Key and Tag Value, and then click OK. In the message that appears, click Close.
- Remove tags: In the lower part of the secret list, click Remove Tag. In the Batch Remove dialog box, select the tags that you want to remove and click Remove. In the message that appears, click Close.

Check accounts

The account check feature allows you to check whether an ApsaraDB RDS account indicated by an ApsaraDB RDS secret is the account for your ApsaraDB RDS instance. If this is the truth, the secret can be rotated. If this is not the truth, you need to delete the secret and create a secret again.

Log on to the KMS console. In the top navigation bar, select the required region. In the left-side navigation pane, click Secrets.
Click the ApsaraDB RDS Secrets tab, select the required instance ID from the Instance ID drop-down list, find the secret that you want to manage, and then click Details in the Actions column.
In the Versions section, click Check Account. After the check is complete, view the check result.

FAQ

When I configure a secret rotation policy or immediately rotate a secret, the system prompts the error message "Your secret is being rotated. Try again later." What is the reason?