Best practice of secrets rotation on multi region database

Question

Customer uses aurora global table on multi region and their configuration is Active-Active.  They use Aurora global table. 
Customer wants to rotate their secrets for Aurora and wants to know best practices how to implement that. 
Their application also sit in two regions, the app connects the database instance which is in same region when both region are alive. 
There is a blog post which explains how to setup secrets manager for Active-Standby configuration. But my customer wants to implement ACTIVE-ACTIVE configuration.  
Is there any best practices and tips for using Secrets Manager with ACTIVE-ACTIVE database configuration?

Accepted Answer

Quick clarification...  When you say "Active-Active", Aurora doesn't support active writer nodes in multiple regions at the same time with its' "Global Database" feature.  There can be only one writer node in the primary region although secondary regions can all have many active reader nodes.

With respect to secrets, Secrets Manager now support multi-region secrets natively.  See the docs [here][1].  Like Aurora, there is a primary region for the secrets which are then replicated to the secondary regions.  This is now the preferred approach and architecturally similar to Aurora's.

[1]: https://docs.aws.amazon.com/secretsmanager/latest/userguide/create-manage-multi-region-secrets.html

Best practice of secrets rotation on multi region database

関連するコンテンツ