Database credentials with RDS Proxy and Secrets Manager

0

Hi everyone,

I would like to use RDS Proxy. As far as I know, I have to add database username and password in Secrets Manager, which later will be used by RDS Proxy to connect to my RDS instance. I also have to keep the same DB username and password in my application code (e.g. application.properties in Spring Boot) so that my application can interact with the database. Then, what is the point of storing these DB credentials in Secrets Manager? What can I do to remove these credentials from my application code and fully utilise Secrets Manager with RDS Proxy?

OR am I missing something?

Thanks in advance.

1 Answer
1
Accepted Answer

Hello.

Then, what is the point of storing these DB credentials in Secrets Manager?

Password authentication is required between RDS and RDS Proxy, so SecretsManager authentication information cannot be deleted.
https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/rds-proxy-secrets-arns.html

What can I do to remove these credentials from my application code and fully utilise Secrets Manager with RDS Proxy?

If you do not want to use password authentication to authenticate from your application to RDS Proxy, you can use IAM authentication.
By using IAM authentication, there is no need to embed passwords in the application.
https://aws.amazon.com/jp/blogs/database/deploy-amazon-rds-proxy-for-sql-server-with-iam-authentication/
https://mbio.medium.com/aws-lambda-rds-proxy-iam-authentication-538987146239

profile picture
EXPERT
answered 2 months ago
profile picture
EXPERT
reviewed 2 months ago
profile picture
EXPERT
Sandeep
reviewed 2 months ago
  • Hi, Raku. Thanks a lot for your answer. So, credentials in Secrets Manager is for RDS Proxy --> DB instance connection. But credentials in my application code is for my app --> RDS Proxy. Is that correct?

  • But credentials in my application code is for my app --> RDS Proxy. Is that correct?

    Yes, I think it's correct. I've done a little testing in the past. When connecting to RDS Proxy using credentials different from those registered in Secrets Manager, no login failure logs were output to the RDS instance logs. Therefore, it is presumed that these credentials are used for authentication between the RDS Proxy and the application.

  • Therefore, although it is not stated in the document, it is assumed that the authentication information registered in SecretsManager is used in the following situations.

    • Referenced by RDS Proxy when authenticating application connection requests
    • Referenced by RDS Proxy when opening a connection with RDS
  • Thanks again for your helpful answers. Now, I understand. Just 1 more question if you don't mind.

    I saw somewhere that Secrets Manager can also be used so that I can remove DB credentials from my application code. My app can retrieve these credentials from Secrets Manager to connect to the DB. But, what is the best practice way to do this, Secrets Manager OR IAM authentication?

  • Whether you use Secrets Manager credentials or IAM authentication to connect to RDS Proxy from your application, there is no problem as long as you set the IAM policy appropriately. In other words, you cannot delete anything unless you have set an IAM policy that allows you to delete something. I think which one is better depends on how the application is made and the number of users accessing it. I'm not sure if it also applies to RDS Proxy, but IAM authentication for RDS instances cannot tolerate more than 200 connections. If this limitation is the same for RDS Proxy, I think it is not suitable to use IAM authentication if too many connections occur. If the connection is below this limit, IAM authentication is better, as it can be used without embedding a password in the application. https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/UsingWithRDS.IAMDBAuth.html#UsingWithRDS.IAMDBAuth.ConnectionsPerSecond

    Use IAM database authentication when your application requires fewer than 200 new IAM database authentication connections per second.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions