Can we create a custom secret in secretmanager and use it as mastersecret in RDS

0

I want to have complete control on the secrets management, so i want to create a secret in secret manager and use its ARN as master secret for RDS . I did add the necessary details in the CFT but still RDS creates it own secret over the secret i have created.

Else can i output the secretArn created by RDS to be used by other services(I hope i can achieve the above before resorting to this)

    "rdsCluster": {
      "Type": "AWS::RDS::DBCluster",
      "Properties": {
        "MasterUsername": {
          "Ref": "dbUsername"
        },
        "DBClusterIdentifier": {
          "Fn::Sub": "${projectName}"
        },
        "Engine": "aurora-postgresql",
        "DatabaseName": {
          "Fn::Sub": "${databaseName}"
        },
        "DBSubnetGroupName": {
          "Fn::Sub": "${projectName}-subnetGroup"
        },
        "EnableCloudwatchLogsExports": [
          "<value>"
        ],
        "EnableIAMDatabaseAuthentication": "true",
        "ManageMasterUserPassword": true,
        "StorageEncrypted": true,
        "MasterUserSecret": {
          "SecretArn": {
            "Ref": "secretArn"
          }
        },
2 Answers
1

Hi,

Yes, you can do that: see https://docs.aws.amazon.com/secretsmanager/latest/userguide/create_database_secret.html

Example via CLI below

For Secrets Manager to be able to rotate the secret, you must make sure the JSON matches the JSON structure of a secret.

aws secretsmanager create-secret \
    --name MyTestSecret \
    --secret-string file://mycreds.json

Contents of mycreds.json:

{
    "engine": "mysql",
    "username": "saanvis",
    "password": "EXAMPLE-PASSWORD",
    "host": "my-database-endpoint.us-west-2.rds.amazonaws.com",
    "dbname": "myDatabase",
    "port": "3306"
}

Best,

Didier

profile pictureAWS
EXPERT
answered 24 days ago
profile pictureAWS
EXPERT
iBehr
reviewed 24 days ago
0

Hello,

To resolve the issue of RDS service creating its own username, password and instead use your own custom secret. Set the parameter ManageMasterUserPassword to false and then The MasterUserSecret property should be properly formatted to reference the secret ARN.

rdsCluster:
  Type: "AWS::RDS::DBCluster"
  Properties:
    MasterUsername: {
      "Ref": "dbUsername"
    }
    DBClusterIdentifier: {
      "Fn::Sub": "${projectName}"
    }
    Engine: "aurora-postgresql"
    DatabaseName: {
      "Fn::Sub": "${databaseName}"
    }
    DBSubnetGroupName: {
      "Fn::Sub": "${projectName}-subnetGroup"
    }
    EnableCloudwatchLogsExports:
      - "<value>"
    EnableIAMDatabaseAuthentication: true
    ManageMasterUserPassword: false # Set this to false
    StorageEncrypted: true
    MasterUserSecret:
      SecretArn: {
        "Ref": "secretArn"
      }
profile picture
answered 24 days ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions