All Products
Search

This Product

    Key Management Service:Manage and use ApsaraDB RDS secrets

    Document Center

    Key Management Service:Manage and use ApsaraDB RDS secrets

    Last Updated:Jun 27, 2024

    You can manage the account of an ApsaraDB RDS database in an ApsaraDB RDS secret of Key Management Service (KMS). In this case, if you integrate Alibaba Cloud SDK, KMS Instance SDK, or a secret SDK into your application, your application can dynamically retrieve the secret from KMS to log on to the ApsaraDB RDS database. You can configure secret rotation to reduce the risks of account leaks. This topic describes how to manage and use ApsaraDB RDS secrets.

    Feature description

    If you use ApsaraDB RDS secrets, you do not need to configure static database accounts in applications. After you create an ApsaraDB RDS secret for an account of an ApsaraDB RDS database in KMS, applications can call the GetSecretValue operation to retrieve the secret to access the database.

    Important

    If you manage ApsaraDB RDS accounts in KMS, do not modify or delete the accounts in ApsaraDB RDS. Otherwise, service failures may occur.

    image

    Rotate an ApsaraDB RDS secret

    When KMS rotates an ApsaraDB RDS secret, the password of the associated ApsaraDB RDS account is changed. The username of the account remains unchanged. In most cases, the rotation of an ApsaraDB RDS secret is immediately complete. If the rotation is not complete after more than 2 minutes, check whether the associated ApsaraDB RDS instance and the associated ApsaraDB RDS account are normal.

    Important

    When an ApsaraDB RDS secret is being rotated, do not delete the ApsaraDB RDS instance and ApsaraDB RDS account that are associated with the ApsaraDB RDS secret. Otherwise, rotation failure occurs.

    When you use KMS to manage ApsaraDB RDS secrets, you can use the single-account mode and the dual-account mode to manage the secrets. The rotation policies are different.

    • Single-account mode

      Rotation involves generating a new password for the account in a secret. When the password is switched, the current version of the secret may be temporarily unavailable. We recommend that you configure retry policies.

    • Dual-account mode

      During the second rotation, the password of the first account is changed. KMS alternately changes the passwords of the two accounts each time the secret is rotated. The following figure shows the details.

      image

    Limits

    KMS supports the following types of ApsaraDB RDS instances: ApsaraDB RDS for MySQL, ApsaraDB RDS for MariaDB, ApsaraDB RDS for SQL Server, and ApsaraDB RDS for PostgreSQL. KMS does not support ApsaraDB RDS for SQL Server instances that run SQL Server 2017 EE.

    Prerequisites

    Step 1: Create an ApsaraDB RDS secret

    When you create a secret, you can configure automatic rotation for the secret. This helps reduce the risk of secret leaks.

    1. Log on to the KMS console. In the top navigation bar, select a region. In the left-side navigation pane, choose Resource > Secrets.

    2. Click the Database Secrets tab, select the ID of the KMS instance from the Instance ID drop-down list, choose Create Secret > Create Single Secret. In the panel that appears, configure the parameters and click OK.

      Note

      • You cannot create multiple ApsaraDB RDS secrets at a time.

      • When you create an ApsaraDB RDS secret, the system automatically creates the AliyunServiceRoleForKMSSecretsManagerForRDS service-linked role and attaches the AliyunServiceRolePolicyForKMSSecretsManagerForRDS policy to the role. KMS assumes the role to manage ApsaraDB RDS secrets. For example, KMS can rotate the passwords of ApsaraDB RDS accounts.

        You can log on to the RAM console to view the details of service-linked roles and policies. For more information, see View the information about a RAM role and View the basic information about a policy.

      Parameter

      Description

      Database Type

      The type of the database secret. Select ApsaraDB RDS Secrets.

      Secret Name

      The name of the secret.

      ApsaraDB RDS Instance

      The ApsaraDB RDS instance that you want to manage. Select an existing ApsaraDB RDS instance within your Alibaba Cloud account.

      Account Management

      The value cannot exceed 30,720 bytes in length, which is equivalent to 30 KB in size.

      • Manage Dual Accounts (recommended): This mode applies to the scenarios in which the secret is used by applications to access the ApsaraDB RDS instance. In this mode, KMS manages two accounts that have identical permissions. This mode ensures that the connections between applications and the ApsaraDB RDS instance are not interrupted when the secret is rotated.

        • Click the Create Account tab, specify a username prefix, select a database, and then specify permissions.

          Note

          KMS does not immediately create the accounts. KMS creates the accounts after you review and confirm the secret information.

        • Click the Import Existing Accounts tab, select usernames, and then specify passwords for the usernames.

          Note

          We recommend that you specify the same passwords as the passwords that you specified for the accounts when you created the ApsaraDB RDS instance. If the imported username and the password do not match, you can retrieve the valid username and password after the initial rotation of the secret.

      • Manage Single Account: This mode applies to the scenarios in which a privileged account or a manual O&M account is managed. In this mode, the current version of the secret may be temporarily unavailable when the secret is rotated.

        • Click the Create Account tab, specify a username prefix, and then select an account type.

          You can select Standard Account or Privileged Account for the Account Type parameter. If you select Standard Account, you must select a database and specify the permissions of the account.

        • Click the Import Existing Accounts tab, select a username, and then specify a password for the username.

      CMK

      The key that is used to encrypt the secret.

      Important

      • Your key and secret must belong to the same KMS instance. The key must be a symmetric key. For more information about the symmetric keys supported by KMS, see Key types and specifications.

      • If you are a RAM user or a RAM role, you must have the permissions to call the GenerateDataKey operation by using a key.

      Tag

      The tag that you want to add to the secret. You can use tags to classify and manage secrets. A tag consists of a key-value pair.

      Note

      • A tag key or a tag value can be up to 128 characters in length and can contain letters, digits, forward slashes (/), backslashes (\), underscores (_), hyphens (-), periods (.), plus signs (+), equal sign (=), colons (:), and at signs (@).

      • A tag key cannot start with aliyun or acs:.

      • You can configure up to 20 key-value pairs for each secret.

      Automatic Rotation

      Specifies whether to enable automatic secret rotation.

      Rotation Period

      The period of automatic secret rotation. This setting is required only when you select Enable Automatic Rotation. The value ranges from 6 hours to 365 days.

      KMS periodically updates the secret based on the value of the parameter.

      Description

      The description of the secret.

      Policy Settings

      The policy settings of the secret. For more information about policies, see Overview.

      • Default Policy: If the secret is used by the current Alibaba Cloud account or the Alibaba Cloud account in a resource share, select Default Policy.

        • If the KMS instance is not shared with other accounts, only the current Alibaba Cloud account can manage and use the secret.

        • If the KMS instance is shared with other accounts, the supported operations vary. For example, an instance named KMS Instance A is shared with Alibaba Cloud Account 2 by using Alibaba Cloud Account 1.

          • Secrets created by Alibaba Cloud Account 1: Only Alibaba Cloud Account 1 can manage and use the secrets.

          • Secrets created by Alibaba Cloud Account 2: Both Alibaba Cloud Account 1 and Alibaba Cloud Account 2 can manage and use the secrets.

      • Custom Policy: If you want to grant permissions to a Resource Access Management (RAM) user, a RAM role, or other accounts to use the secret, select Custom Policy.

        Important

        • Administrators and users do not consume Access Management Quota. Cross-account users consume Access Management Quota of the KMS instance. The consumed quota is calculated based on the number of Alibaba Cloud accounts. If you revoke the permissions, wait approximately 5 minutes and then query the quota. The consumed quota is restored.

        • When you use a secret, you must have the permissions to use the required key to decrypt the secret.

        • An administrator can manage the secret but cannot retrieve the secret. You can select RAM users and RAM roles within the current Alibaba Cloud account.

          Permissions supported by administrators

          {
	"Statement": [
		{
			"Action": [
				"kms:List*",
				"kms:Describe*",
				"kms:PutSecretValue",
				"kms:Update*",
				"kms:DeleteSecret",
				"kms:RestoreSecret",
				"kms:RotateSecret",
				"kms:TagResource",    
				"kms:UntagResource" 
			]
		}
	]
}

        • A user can retrieve the secret. You can select RAM users and RAM roles within the current Alibaba Cloud account.

          Permissions supported by users

          {
    "Statement": [
        {
            "Action": [
                "kms:List*",
								"kms:Describe*",
								"kms:GetSecretValue",
            ]
        }
    ]
}

        • A cross-account user can retrieve the secret. A cross-account user can be a RAM user or RAM role of other Alibaba Cloud accounts.

          • RAM user: The name of the RAM user is in the acs:ram::<userId>:user/<ramuser> format. Example: acs:ram::119285303511****:user/testpolicyuser.

          • RAM role: The name of a RAM role is in the acs:ram::<userId>:role/<ramrole> format. Example: acs:ram::119285303511****:role/testpolicyrole.

          Note

          After you grant permissions to a RAM user or a RAM role, you must use the Alibaba Cloud account of the RAM user or the RAM role to grant the RAM user or the RAM role permissions to use the secret in RAM. Then, the RAM user or the RAM role can use the secret.

          For more information, see Use RAM to manage access to KMS resources, Grant permissions to a RAM user, and Grant permissions to a RAM role.

          Permissions supported by cross-account users

          {
    "Statement": [
        {
            "Action": [
                "kms:List*",
								"kms:Describe*",
								"kms:GetSecretValue",
            ]
        }
    ]
}

    Step 2: Integrate an ApsaraDB RDS secret into an application

    KMS provides Alibaba Cloud SDK, KMS Instance SDK, the secret client, and the secret JDBC client to retrieve secrets. Your application can use the SDKs to integrate ApsaraDB RDS secrets. The secret JDBC client encapsulates business logic, best practices, and design patterns. Your application can use an ApsaraDB RDS secret that is managed in KMS to implement identity authentication to access the associated database by using JDBC API. For more information about SDKs, see SDK references.

    If your application is developed in Java, we recommend that you use the secret JDBC client. For more information, see Secret JDBC client. If your application is developed in Python or Go, we recommend that you use the secret client. For more information, see Secret client. If your application is developed in other programming languages, we recommend that you use KMS Instance SDKs or Alibaba Cloud SDK.

    Note

    If you want to use SDKs to perform management operations, such as creating ApsaraDB RDS secrets and modifying tags of ApsaraDB RDS secrets, you can use only Alibaba Cloud SDK.

    What to do next

    Rotate an ApsaraDB RDS secret

    Important

    • When an ApsaraDB RDS secret is being rotated, KMS sends a requeset to ApsaraDB RDS to change the password of the associated ApsaraDB RDS account. Before you rotate an ApsaraDB RDS secret, make sure that all your applications retrieve the ApsaraDB RDS secret from KMS. This helps prevent application unavailability.

    • If you delete the instance or account in ApsaraDB RDS that is associated with an ApsaraDB RDS secret, KMS cannot rotate the secret. We recommend that you perform an account check before the rotation and perform the rotation after KMS prompts that the check is successful.

    You can configure automatic rotation for a secret to reduce the risk of secret leaks. If a secret is leaked, you can immediately rotate the secret in the KMS console to eliminate intrusion risks.

    1. Log on to the KMS console. In the top navigation bar, select a region. In the left-side navigation pane, choose Resource > Secrets.

    2. Click the Database Secrets tab, select the ID of the KMS instance from the Instance ID drop-down list, find the secret that you want to rotate, and then click Details in the Actions column.

    3. In the Versions tab, click Configure Rotation. After the check is complete, view the check result.

      • Automatic Rotation: If you turn on Automatic Rotation, you must select a rotation period. The value ranges from 6 hours to 365 days.

      • Rotation Now: If you select this option, KMS immediately rotates the secret.

    Perform an account check

    KMS checks whether an account that is protected by a secret belongs to the associated ApsaraDB RDS instance. If yes, the secret can be rotated. If no, you must delete the secret and create another ApsaraDB RDS secret.

    1. Log on to the KMS console. In the top navigation bar, select a region. In the left-side navigation pane, choose Resource > Secrets.

    2. Click the Database Secrets tab, select the ID of the KMS instance from the Instance ID drop-down list, find the secret that you want to manage, and then click Details in the Actions column.

    3. In the Versions tab, click Check Account. After the check is complete, view the check result.

    Delete an ApsaraDB RDS secret

    Warning

    Before you delete an ApsaraDB RDS secret, make sure that the ApsaraDB RDS secret is no longer in use. If you delete an ApsaraDB RDS secret that is in use, service failures may occur.

    You can immediately delete an ApsaraDB RDS secret or create a scheduled task to delete an ApsaraDB RDS secret. If you delete an ApsaraDB RDS secret, the ApsaraDB RDS secret is deleted only from KMS. The username and password of the secret are not deleted in ApsaraDB RDS.

    1. Log on to the KMS console. In the top navigation bar, select a region. In the left-side navigation pane, choose Resource > Secrets.

    2. Click the Database Secrets tab, select the ID of the KMS instance from the Instance ID drop-down list, find the secret that you want to delete, and then click Schedule Deletion in the Actions column.

    3. In the Schedule Deletion dialog box, select a method to delete the secret and click OK.

      • If you select Schedule Deletion, configure Retention Period (7 to 30 Days). When the scheduled deletion period ends, KMS deletes the secret.

      • If you select Delete Immediately, the system immediately deletes the secret.

      During the scheduled deletion period, you can click Restore Secret in the Actions column to cancel the deletion.

    Add tags to secrets

    You can use tags to classify and manage secrets. A tag consists of a key-value pair.

    Note

    • A tag key or a tag value can be up to 128 characters in length and can contain letters, digits, forward slashes (/), backslashes (\), underscores (_), hyphens (-), periods (.), plus signs (+), equal sign (=), colons (:), and at signs (@).

    • A tag key cannot start with aliyun or acs:.

    • You can configure up to 20 key-value pairs for each secret.

    Add tags for a secret

    Solution

    Description

    Method 1: Add tags on the Secrets page

    1. Log on to the KMS console. In the top navigation bar, select a region. In the left-side navigation pane, choose Resource > Secrets.

    2. Click a tab based on the type of your secret, select the required instance ID from the Instance ID drop-down list, find the desired secret, and then click the image.png icon in the Tag column.

    3. Click Add. In the Edit Tag dialog box, enter multiple Tag Key and Tag Value, and click OK. In the message that appears, click Close.

      In the Edit Tag dialog box, you can modify the tag values and remove multiple tags at a time.

    Method 2: Add tags on the Secret Details page

    1. Log on to the KMS console. In the top navigation bar, select a region. In the left-side navigation pane, choose Resource > Secrets.

    2. Click a tab based on the type of your secret. Select the required instance ID from the Instance ID drop-down list, find the desired secret, and then click Details in the Actions column.

    3. On the Secret Details page, click the image.png icon next to Tag.

    4. In the Edit Tag dialog box, enter multiple Tag Key and Tag Value and click OK. In the message that appears, click Close.

      In the Edit Tag dialog box, you can modify the tag values and remove multiple tags at a time.

    Configure tags for multiple secrets at a time

    1. Log on to the KMS console. In the top navigation bar, select a region. In the left-side navigation pane, choose Resource > Secrets.

    2. Click a tab based on the type of your secret, select the required instance ID from the Instance ID drop-down list, and then select the desired secrets from the secret list.

      • Add tags: In the lower part of the secret list, click Add Tag. In the Add Tag dialog box, enter multiple Tag Key and Tag Value, and click OK. In the message that appears, click Close.

      • Remove tags: In the lower part of the secret list, click Remove Tag. In the Batch Remove dialog box, select the tags that you want to remove and click Remove. In the message that appears, click Close.

    FAQ