How to store and rotate database credentials using AWS Secret Manager
AWS Secrets Manager helps you protect secrets needed to access your applications, services, and IT resources. The service enables you to easily rotate, manage, and retrieve database credentials, API keys, and other secrets throughout their lifecycle. Users and applications retrieve secrets with a call to Secrets Manager APIs, eliminating the need to hard code sensitive information in plain text.
Secrets Manager offers secret rotation with built-in integration for Amazon RDS, Amazon Redshift, and Amazon DocumentDB. Also, the service is extensible to other types of secrets, including API keys and OAuth tokens. In addition, Secrets Manager enables you to control access to secrets using fine-grained permissions and audit secret rotation centrally for resources in the AWS Cloud, third-party services, and on-premises.
In this post, you will get to know how to store database credentials for a RDS database using AWS Secrets Manager. Here I have used a WORD PRESS application server that requires database credentials to access the MySQL database.
You’ll need an Amazon EC2 Server for this post. Getting started with amazon EC2 provides instructions on how to launch an EC2 Server.
You’ll also need AWS Command Line Interface (AWS CLI) installed and configured on your machine. For this blog, I assume that the default AWS CLI region is set to N. Virginia (us-east-1) and that you have access to the AWS services described in this post. If you use other regions, you should check the availability of AWS services in those regions.
The architecture diagram shows the overall deployment architecture with data flow, application server, Mysql DB instance, AWS CLI and AWS secrets manager.
The blog post consists of the following phases:
- Store a secret in Secrets Manager
- Update an application to retrieve secret from Secrets Manager
- Enable Rotation for your secret
Phase 1: Store a secret in Secrets Manager
1. Open the Secrets Manager Console and select Store a new secret.
2. Select Credentials for RDS database and Give Username and password of RDS which will make a secret and choose the default encryption key.
3. Select the DB instance mysql-rds-database, and then select Next.
4. Give Secret name and description.
5. Choose default disable automatic rotation option.
6. Review all configurations and can change if you want.
7. Secret application successfully created.
8. Can check the auto-generated sample code with different languages.
Phase 2: Update an application to retrieve secret from Secrets Manager
Update the application to retrieve the database credential from Secrets Manager
- Connect to EC2 instance.
- Add this code to the application to retrieve credentials.
# Use the code snippet provided by Secrets Manager.
from botocore.exceptions import ClientError
#Define the secret you want to retrieve
secret_name = “Applications/MyApp/MySQL-RDS-Database”
#Define the Secrets mManager end-point your code should use.
endpoint_url = “https://secretsmanager.us-east-1.amazonaws.com"
region_name = “us-east-1”
#Setup the client
session = boto3.session.Session()
client = session.client(
#Use the client to retrieve the secret
get_secret_value_response = client.get_secret_value(
#Error handling to make it easier for your code to tolerate faults
except ClientError as e:
if e.response[‘Error’][‘Code’] == ‘ResourceNotFoundException’:
print(“The requested secret “ + secret_name + “ was not found”)
elif e.response[‘Error’][‘Code’] == ‘InvalidRequestException’:
print(“The request was invalid due to:”, e)
elif e.response[‘Error’][‘Code’] == ‘InvalidParameterException’:
print(“The request had invalid params:”, e)
# Decrypted secret using the associated KMS CMK
# Depending on whether the secret was a string or binary, one of these fields will be populated
if ‘SecretString’ in get_secret_value_response:
secret = get_secret_value_response[‘SecretString’]
binary_secret_data = get_secret_value_response[‘SecretBinary’]
# Your code goes here.
3. Attach an IAM role to an EC2 instance.
Phase 3: Enable Rotation for Your Secret
1. To enable rotation option, go to rotation configuration edit option
2. Set enable automatic rotation option and choose rotation interval.
3. Choose to create a lambda function to perform rotation options.
4. Select Secret which was stored previously.
5. Rotation is being created.
6. Rotation Enabled for selected days.
WordPress application server with MYSQL RDS database to store credentials in a secret Manager —
Step-1 Launched WordPress application server
Step-2 Created MYSQL RDS Database
Step-3 Store a secret key of RDS in secret manager
Step-4 Enable key rotation option with defined details
Step-5 Check configurations in secret manager using AWS CLI for WordPress application. Enabled rotation here for 30 days.
Step-6 Enabled rotation here for 60 days
Step-7 Get database credentials via AWS Command Line stored on AWS secret manager
- Terminate EC2 Server.
- Delete AWS Secret Manager.
- Delete RDS Database.
I review the pricing and estimated cost of this example. AWS Secrets Manager offers a 30-day trial period that starts when you store your first secret. Storage of each secret costs $0.40 per secret per month. For secrets that are stored for less than a month, the price is prorated based on the number of hours. There is an additional cost of $0.05 per 10,000 API calls. You can learn more by visiting the AWS Secrets Manager pricing service details page.
Cost of EC2 = $0.012 per hour = $0.024(2 hours).
Cost of RDS = $14.75 per month = $0.04(2 hours).
Cost of AWS Secrets Manager = 2 hours x ($0.40 per secret per month / 30 days / 24 hours + $0.05 per 10,000 API calls).
In this post, I had shown you how to store and rotate database credentials using AWS Secret Manager.
For more details on secrets management, Checkout Get started managing secrets, open the Secrets Manager console. To learn more, read the Secrets Manager documentation.