- Newest
- Most votes
- Most comments
Hello.
Then, what is the point of storing these DB credentials in Secrets Manager?
Password authentication is required between RDS and RDS Proxy, so SecretsManager authentication information cannot be deleted.
https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/rds-proxy-secrets-arns.html
What can I do to remove these credentials from my application code and fully utilise Secrets Manager with RDS Proxy?
If you do not want to use password authentication to authenticate from your application to RDS Proxy, you can use IAM authentication.
By using IAM authentication, there is no need to embed passwords in the application.
https://aws.amazon.com/jp/blogs/database/deploy-amazon-rds-proxy-for-sql-server-with-iam-authentication/
https://mbio.medium.com/aws-lambda-rds-proxy-iam-authentication-538987146239
Relevant content
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago
Hi, Raku. Thanks a lot for your answer. So, credentials in Secrets Manager is for RDS Proxy --> DB instance connection. But credentials in my application code is for my app --> RDS Proxy. Is that correct?
Yes, I think it's correct. I've done a little testing in the past. When connecting to RDS Proxy using credentials different from those registered in Secrets Manager, no login failure logs were output to the RDS instance logs. Therefore, it is presumed that these credentials are used for authentication between the RDS Proxy and the application.
Therefore, although it is not stated in the document, it is assumed that the authentication information registered in SecretsManager is used in the following situations.
Thanks again for your helpful answers. Now, I understand. Just 1 more question if you don't mind.
I saw somewhere that Secrets Manager can also be used so that I can remove DB credentials from my application code. My app can retrieve these credentials from Secrets Manager to connect to the DB. But, what is the best practice way to do this, Secrets Manager OR IAM authentication?
Whether you use Secrets Manager credentials or IAM authentication to connect to RDS Proxy from your application, there is no problem as long as you set the IAM policy appropriately. In other words, you cannot delete anything unless you have set an IAM policy that allows you to delete something. I think which one is better depends on how the application is made and the number of users accessing it. I'm not sure if it also applies to RDS Proxy, but IAM authentication for RDS instances cannot tolerate more than 200 connections. If this limitation is the same for RDS Proxy, I think it is not suitable to use IAM authentication if too many connections occur. If the connection is below this limit, IAM authentication is better, as it can be used without embedding a password in the application. https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/UsingWithRDS.IAMDBAuth.html#UsingWithRDS.IAMDBAuth.ConnectionsPerSecond