Static database credentials are a persistent security risk: long-lived passwords accumulate exposure over time and can be reused after a breach. Dynamic ApsaraDB RDS secrets address this by rotating database credentials automatically on a schedule, reducing the security risk of secret leakage. This topic describes how to create, delete, and restore dynamic ApsaraDB RDS secrets in the Key Management Service (KMS) console.
Prerequisites
Before you begin, ensure that you have:
An ApsaraDB RDS instance. For setup instructions, see Create an ApsaraDB RDS for MySQL instance
(Required for RAM users and roles) The AliyunKMSSecretAdminAccess system policy granted to the Resource Access Management (RAM) user or RAM role managing secrets. This policy grants permission to use Secrets Manager features, query ApsaraDB RDS instances and manage accounts, and create the service-linked role for managed ApsaraDB RDS secrets
Choose a management method
Before creating a secret, decide whether to use dual-account or single-account management. The choice determines what your application experiences during each password rotation.
| Method | How it works | Effect during rotation | Best for |
|---|---|---|---|
| Dual-account management (recommended) | Manages two accounts with identical permissions. | Program access is not interrupted during a password reset. | Applications requiring continuous database access |
| Single-account management | Manages one account. The password is reset directly. | The current version of the secret may be temporarily unavailable when the password is reset. | Privileged accounts or operations accounts where brief unavailability is acceptable |
Create a dynamic ApsaraDB RDS secret
Log on to the Key Management Service console.
In the Region drop-down list in the top-left corner, select the region where your credentials are stored.
In the left navigation pane, click Secrets.
Click Create Secret.
In the Create Secret dialog box, configure the following parameters, then click Next.
Secret Type: Select Managed RDS Secret.
Secret Name: Enter a name for the secret.
Select RDS Instance: Select an existing ApsaraDB RDS instance in your Alibaba Cloud account.
Set Secret Value: Select a management method and configure the account.
Dual-account management:
One-click Creation and Authorization tab: Enter an account name, select a database, and specify permissions. The account is created after you confirm the secret configuration in the next step, not immediately.
Import Existing Account tab: Select a username and enter the corresponding password. If the password does not match the RDS account, you can obtain the correct account and password after the secret is first rotated.
Single-account management:
One-click Creation and Authorization tab: Enter an account name and select an account type — Standard Account or Privileged Account. For Standard Account, also select a database and specify permissions.
Import Existing Account tab: Select a username and enter the password.
Description: Enter a description for the secret.
Select Enable Automatic Rotation, set the Rotation Interval, then click Next.
Note To skip automatic rotation, select Disable Automatic Rotation.Review the secret configuration and click OK.
Click Close in the Creation Successful dialog box.
Delete a dynamic ApsaraDB RDS secret
Secrets Manager intentionally makes deletion a two-step process: secrets enter a retention period before permanent removal, giving you time to recover from accidental deletions. Confirm the secret is no longer in use before proceeding.
In the Actions column of the target secret, choose Delete Secret.
In the Delete Secret dialog box, select a deletion method and click OK.
Schedule Deletion: Set a Retention Period (7–30 days). The secret is permanently deleted after the retention period ends. During this window, you can restore the secret if needed.
Delete Immediately: Permanently deletes the secret with no recovery window.
Restore a dynamic ApsaraDB RDS secret
If you scheduled a deletion, you can cancel it at any time before the retention period ends. After restoration, the secret is available normally.
In the Actions column of the target secret, choose Restore Secret.
In the Restore Secret dialog box, click OK.