Creating a secret for RDS in AWS Secret Manager

A step by step guide to using AWS Secrets Manager to store a new password with RDS

1.  In the AWS Console search bar, enter Secrets Manager, and click the Secrets Manager result under Services:

2. Click on Store a new secret

3. As a secret type choose Credentials for Amazon RDS Database

4. Update the credentials information with the current username and password

5. Choose the encryption key that the Secrets manager will use to encrypt the RDS credentials. Either use the default encryption key (in this case) or
Or if add a new key is chosen, the KMS console loads and choose to Create a key and choose a Symmetric key

6. The next step is to choose the RDS database and click Next

7. Enter a secret name – prod/webapp/auroradb and add a description to identify the secret name if needed

8. If needed change the resource permissions to share secrets across accounts (usually this step is not needed)

9. If required replicate the secret can be replicated to another region only Read-only replica (Extra charge) by Clicking Replicate Secret. You will need to select the destination region and the encryption key

Note that not all the regions are supported at the moment

10. Click next to continue

11. The next step is to enable automatic rotation and choose the number of days when the rotation process will occur. Depending on the security requirements the value can vary between 1 day up to 1 year

12. In my case I have created a lambda function already which I have downloaded from

https://github.com/aws-samples/aws-secrets-manager-rotation-lambdas/blob/master/SecretsManagerRDSMySQLRotationMultiUser/lambda_function.py

For different RDS instance refer to https://github.com/aws-samples/aws-secrets-manager-rotation-lambdas

So I selected to use a rotation function from your account and then click Save

13. Once saved the rotation configuration should be Enabled with the respective interval

14. To retrieve the secret value click retrieve secret value

From the client-side, code is required to retrieve username and password from the secret manager. From the sample code, choose the required language for the sample code.

This is required before establishing the connection to the database.

For another language such as .Net a NuGet package exist and you may need to download the AWS SDK for .NET

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.