Data Management (DMS) can retrieve ApsaraDB RDS database credentials from Key Management Service (KMS) at connection time, so DMS never stores plaintext database accounts. This topic describes how to create an ApsaraDB RDS secret in KMS and configure DMS to use it for database logon.
How it works
The secret administrator creates an ApsaraDB RDS secret in KMS for a target database.
The DMS administrator registers the ApsaraDB RDS database with DMS, selecting Logon with KMS Secret as the access mode.
The DMS administrator initiates a connection to the database.
DMS calls the ListSecrets and GetSecretValue operations to retrieve the current secret value from KMS in real time.
DMS uses the retrieved credentials to log on to the database.
DMS always retrieves the secret version whose stage label is ACSCurrent, so automatic secret rotation does not interrupt database connections.
Benefits
Encrypted storage: Database accounts are encrypted and stored in KMS, eliminating exposure of plaintext credentials.
Automatic rotation: Configure a rotation schedule in KMS to update database passwords automatically. Use KMS-managed secrets for DMS logon rather than entering credentials manually to prevent logon failures when passwords rotate.
Audit trail: KMS integrates with ActionTrail to record all access requests to ApsaraDB RDS secrets, supporting audit and investigation of unusual behavior.
Supported database types
KMS supports secrets for the following ApsaraDB RDS instance types:
ApsaraDB RDS for MySQL
ApsaraDB RDS for MariaDB
ApsaraDB RDS for SQL Server (except instances running SQL Server 2017 EE)
ApsaraDB RDS for PostgreSQL
Billing
This integration requires a KMS instance. For billing and selection guidance, see Billing and Overview.
Prerequisites
Before you begin, ensure that you have:
A KMS instance that is purchased and enabled. See Purchase and enable a KMS instance
A symmetric key created in the KMS instance, used to encrypt the ApsaraDB RDS secret. See Manage a key
Step 1: Create an ApsaraDB RDS secret in KMS
Log on to the KMS console. In the top navigation bar, select a region. In the left-side navigation pane, choose Resource > Secrets.
On the Secrets page, click Database Secrets. Select the target KMS instance from the Instance ID drop-down list, then choose Create Secret > Create Single Secret.
Configure the following parameters, then click OK.
| Parameter | Description |
|---|---|
| Database Type | Select ApsaraDB RDS Secrets. |
| Secret Name | Enter a name for the secret. |
| ApsaraDB RDS Instance | Select the ApsaraDB RDS instance you want to manage. |
| Account Management | Select an account management mode. See Choose an account management mode for guidance. The value cannot exceed 30,720 bytes (30 KB). |
| CMK | Select the symmetric key to encrypt the secret. The key must belong to the same KMS instance as the secret. If you are a RAM user or RAM role, you must have permission to call GenerateDataKey using this key. For supported key types, see Key types and specifications. |
| Tag | (Optional) Add tags to classify and manage the secret. Each tag is a key-value pair. Tag keys and values can each be up to 128 characters and may contain letters, digits, and the following characters: /, \, _, -, ., +, =, :, and @. Tag keys cannot start with aliyun or acs:. You can add up to 20 tags per secret. |
| Automatic Rotation | (Optional) Enable automatic rotation. |
| Rotation Period | (Required if automatic rotation is enabled) Set the rotation interval. Valid values: 6 hours to 365 days. |
| Description | (Optional) Enter a description for the secret. |
| Policy Settings | (Optional) Configure a secret policy. For details, see Overview. The default policy is applied automatically; you can modify it after creating the secret. |
Choose an account management mode
Select the mode based on your access pattern.
| Mode | Best for | Rotation behavior |
|---|---|---|
| Manage Dual Accounts (recommended) | Applications that require continuous database access. KMS manages two accounts with identical permissions and rotates them alternately, so connections are not interrupted during rotation. | No downtime during rotation |
| Manage Single Account | Privileged accounts or manual O&M access. The current secret version may be temporarily unavailable while rotation is in progress. | Brief unavailability during rotation |
Manage Dual Accounts
Create Account tab: Specify a username prefix, select a database, and specify permissions.
NoteKMS does not create the accounts immediately. Accounts are created after you review and confirm the secret information.
Import Existing Accounts tab: Select usernames and specify passwords.
NoteSpecify the same passwords as those set when the ApsaraDB RDS instance was created. If a username and password do not match, the valid credentials are retrieved the first time the secret is rotated.
Manage Single Account
Create Account tab: Specify a username prefix and select an account type (Standard Account or Privileged Account). For Standard Account, also select a database and specify permissions.
Import Existing Accounts tab: Select a username and specify a password.
Step 2: Register the ApsaraDB RDS database with DMS
Log on to the DMS console V5.0.
Click the
icon next to Database Instances in the left-side navigation pane.NoteAlternatively, choose in the top navigation bar. On the Instance List tab, click New.
On the Add Instance page, enter the ApsaraDB RDS instance details.
For Access mode, select Logon with KMS Secret. Configure the remaining parameters as described in Register an Alibaba Cloud database instance.
Usage notes
Before deleting an ApsaraDB RDS secret from KMS, confirm that DMS no longer uses it. For details, see Query the usage records of keys and secrets.
What's next
Change the access mode: Switch an existing ApsaraDB RDS database in DMS from password-based logon to KMS secret-based logon. See Modify database instances.
Manage databases: Create databases, create tables, and query or modify data using the SQL console. See Manage a database on the SQLConsole tab.
Run lock-free DML: Change large volumes of data without locking tables. See Perform lock-free DML operations.
Export data: Export table data from the database. See Export data.
Manage secret rotation: Configure or review rotation settings for your ApsaraDB RDS secret. See Manage and use ApsaraDB RDS secrets and Secret management overview.