By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Can we create a custom secret in secretmanager and use it as mastersecret in RDS

0

I want to have complete control on the secrets management, so i want to create a secret in secret manager and use its ARN as master secret for RDS . I did add the necessary details in the CFT but still RDS creates it own secret over the secret i have created.

Else can i output the secretArn created by RDS to be used by other services(I hope i can achieve the above before resorting to this)

    "rdsCluster": {
      "Type": "AWS::RDS::DBCluster",
      "Properties": {
        "MasterUsername": {
          "Ref": "dbUsername"
        },
        "DBClusterIdentifier": {
          "Fn::Sub": "${projectName}"
        },
        "Engine": "aurora-postgresql",
        "DatabaseName": {
          "Fn::Sub": "${databaseName}"
        },
        "DBSubnetGroupName": {
          "Fn::Sub": "${projectName}-subnetGroup"
        },
        "EnableCloudwatchLogsExports": [
          "<value>"
        ],
        "EnableIAMDatabaseAuthentication": "true",
        "ManageMasterUserPassword": true,
        "StorageEncrypted": true,
        "MasterUserSecret": {
          "SecretArn": {
            "Ref": "secretArn"
          }
        },
Topics
ServerlessComputeMigration & ModernizationAnalyticsDatabaseSecurity, Identity, & Compliance
Tags
AWS LambdaAmazon Relational Database ServiceDatabaseAWS Secrets ManagerIAM Policies
Language
English
Jai Shankar K S
asked 10 months ago750 views
2 Answers
1

Hi,

Yes, you can do that: see https://docs.aws.amazon.com/secretsmanager/latest/userguide/create_database_secret.html

Example via CLI below

For Secrets Manager to be able to rotate the secret, you must make sure the JSON matches the JSON structure of a secret.

aws secretsmanager create-secret \
    --name MyTestSecret \
    --secret-string file://mycreds.json

Contents of mycreds.json:

{
    "engine": "mysql",
    "username": "saanvis",
    "password": "EXAMPLE-PASSWORD",
    "host": "my-database-endpoint.us-west-2.rds.amazonaws.com",
    "dbname": "myDatabase",
    "port": "3306"
}

Best,

Didier

profile pictureAWS
EXPERT
Didier_Durand
answered 10 months ago
profile pictureAWS
EXPERT
iBehr
reviewed 10 months ago
0

Hello,

To resolve the issue of RDS service creating its own username, password and instead use your own custom secret. Set the parameter ManageMasterUserPassword to false and then The MasterUserSecret property should be properly formatted to reference the secret ARN.

rdsCluster:
  Type: "AWS::RDS::DBCluster"
  Properties:
    MasterUsername: {
      "Ref": "dbUsername"
    }
    DBClusterIdentifier: {
      "Fn::Sub": "${projectName}"
    }
    Engine: "aurora-postgresql"
    DatabaseName: {
      "Fn::Sub": "${databaseName}"
    }
    DBSubnetGroupName: {
      "Fn::Sub": "${projectName}-subnetGroup"
    }
    EnableCloudwatchLogsExports:
      - "<value>"
    EnableIAMDatabaseAuthentication: true
    ManageMasterUserPassword: false # Set this to false
    StorageEncrypted: true
    MasterUserSecret:
      SecretArn: {
        "Ref": "secretArn"
      }
profile picture
EXPERT
Sivaraman Selvam
answered 10 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content