JSON structure of AWS Secrets Manager database credential secrets

To Nha Notes | Oct. 8, 2022, 12:44 p.m.

If you want to turn on automatic rotation in Secrets Manager for a database credential secret, the secret must be in the correct JSON structure. During rotation, Secrets Manager uses the information in the secret to connect to the database and update the credentials there. When you use the AWS CLI or one of the SDKs to store a secret, you must provide the secret in one of the following structures. When you use the console to store a database secret, Secrets Manager automatically creates it in the correct JSON structure.

You can add more key/value pairs to a database secret, for example to contain connection information for replica databases in other Regions.

Topics

• Amazon RDS MariaDB secret structure
• Amazon RDS MySQL secret structure
• Amazon RDS Oracle secret structure
• Amazon RDS PostgreSQL secret structure
• Amazon RDS Microsoft SQLServer secret structure
• Amazon DocumentDB secret structure
• Amazon Redshift secret structure

Amazon RDS MySQL secret structure

{
  "engine": "mysql",
  "host": "<instance host name/resolvable DNS name>",
  "username": "<username>",
  "password": "<password>",
  "dbname": "<database name. If not specified, defaults to None>",
  "port": "<TCP port number. If not specified, defaults to 3306>"
}

Amazon DocumentDB secret structure

{
  "engine": "mongo",
  "host": "<instance host name/resolvable DNS name>",
  "username": "<username>",
  "password": "<password>",
  "dbname": "<database name. If not specified, defaults to None>",
  "port": "<TCP port number. If not specified, defaults to 27017>"
}

References

https://docs.aws.amazon.com/secretsmanager/latest/userguide/reference_secret_json_structure.html