Why is option "Manage credentials in AWS Secrets Manager" disabled when modifying RDS instance?

0

Hello,

When modifying an existing RDS instance via the Console, the Manage credentials in AWS Secrets Manager option is disabled. I have verified the permissions for the user with the policy simulator tool according to this documentation.

Any information as to why this option might be unavailable when modifying an RDS instance would be greatly appreciated and thanks in advance!

1 Answer
0

The "Manage credentials in AWS Secrets Manager" option is likely disabled when modifying an existing RDS instance due to certain limitations and restrictions in the integration between RDS and Secrets Manager.

This feature is primarily designed to be enabled when creating new RDS instances or restoring from snapshots. For existing instances, the integration is not supported as a modification option. This is because managing credentials in Secrets Manager involves generating a new master user password, which could potentially disrupt existing connections and applications using the current credentials.

Additionally, there are specific scenarios where managing credentials with Secrets Manager is not supported, such as:

  1. Amazon RDS Blue/Green Deployments
  2. DB clusters that are part of an Aurora global database
  3. Aurora Serverless v1 DB clusters
  4. Aurora read replicas

If your RDS instance falls into any of these categories, the option will be disabled.

It's important to note that while you can't enable this feature for existing instances through modification, you can still manually create and manage secrets for your RDS instances in AWS Secrets Manager. This allows you to store and rotate credentials securely, even if the automatic integration is not available for existing instances.

If you need to enable Secrets Manager integration for an existing RDS instance, you may need to consider creating a new instance with the feature enabled and then migrating your data to the new instance.
Sources
Password management with Amazon Aurora and AWS Secrets Manager - Amazon Aurora
Password management with Amazon RDS and AWS Secrets Manager - Amazon Relational Database Service

profile picture
answered 5 days ago
profile picture
EXPERT
reviewed 5 days ago
  • Thanks for this detailed response Gary! I should have included in my original post that I was able to complete the same modification with a separate instance. Additionally, within the documentation the instructions do specify: "creating or modifying a DB instance with the RDS console" so I do believe that the feature is supported for this use case. The instance also doesn't meet any of the criteria that you listed which would restrict the integration.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions