Creating a Secret for Data Storage Rotation

Full lifecycle management is supported for customized secrets in different scenarios. You can use CSMS to centrally manage, retrieve, and securely store various types of secrets, such as database account passwords, server passwords, SSH keys, and access keys. Multiple versions can be managed, so you can rotate secrets.

1. Log in to the DEW console.
2. In the navigation pane on the left, choose Cloud Secret Management Service > Secrets. On the displayed page, click Create Secret in the upper left corner.
3. On the displayed page, configure the parameters as shown in Figure 2.
   Figure 2 Creating a shared secret
   
4. Click Next.
5. Click Next and confirm the creation information.
6. Click OK. In the secret list, you can view the created secrets, which are in the Enabled state by default.

Database secret leakage is the main cause of data leakage. CSMS supports RDS and TaurusDB secrets hosting, as well as automatic and manual rotation, meeting various database secret management scenarios and reducing security risks faced by service data.

1. Log in to the DEW console.
2. In the navigation pane on the left, choose Cloud Secret Management Service > Secrets. On the displayed page, click Create Secret in the upper left corner.
3. On the displayed page, configure the parameter as shown in the following and retain default settings for other parameters. For details about the parameters, see Table 1.
   Figure 3 Creating a rotated secret
   

   Table 1 Parameters for creating a rotated secret

   Parameter	Example Value	Description
   Type	Rotated secret > RDS secret	CSMS supports the following secret types: Shared secret: Automatic secret rotation is not supported. Rotated secret: Automatic secret rotation is supported. The secret type can be RDS secret or TaurusDB secret.
   Database	TaurusDB	RDS secrets support MySQL, PostgreSQL, SQLServer, MariaDB, and TaurusDB databases.
   RDS DB Instance	taurus_test_01	Select the RDS instance corresponding to the target database type.
   Secret Value	Single account Set Account Name and Password as required.	Account name and password to be encrypted. If Single account is selected, you need to enter an available database account. If Dual account is selected, after you enter an available database account, a cloned account with the same permissions will be created. Select I understand the risks.
   KMS Encryption Key	csms/default	The following modes are supported: Select from list: Select this if you want to use the key used or shared by the current account. Select the default key csms/default or a custom key created on KMS. Enter: Enter the ID of the authorized key. Enter an encryption key if an authorized key is used. Only symmetric algorithm key IDs are supported. Do not enter an asymmetric key ID. NOTE: CSMS encrypts secret values using the encryption key provided by KMS. When you use the KMS encryption function, KMS creates a default key csms/default for you to use. For details about how to create a custom key on KMS, see Creating a Key. After a grant is created, you can switch to the manual input mode, and enter the key ID to use the granted key for encryption. For details, see .

4. Click Next. On the displayed page, enable automatic rotation and set the rotation period as required.
5. Under Rotation function, click Create one, enter the function name, select I understand the risks, and click Next.
6. Click OK. In the secret list, you can view the created secrets, which are in the Enabled state by default.