Help Center/ Data Encryption Workshop/ Getting Started/ Creating a Secret for Data Storage Rotation
Updated on 2025-07-22 GMT+08:00

Creating a Secret for Data Storage Rotation

Applications and business systems have a large number of secrets and are difficult to manage. Cloud Secret Management Service (CSMS) can store, retrieve, and use secrets in a unified manner throughout their lifecycles.

Procedure

This section uses a shared secret and a rotated secret as examples to describe how to create a secret and rotate data. The following figure shows the process.

Figure 1 Creating a secret for data storage rotation

Procedure

Description

Preparations

Register a Huawei ID, enable Huawei Cloud services, top up the account, and grant CSMS permissions to the account.

Step 1: Creating a Secret

Create a secret and choose the secret type.

Step 2: Rotating Data

After the secret is created, you can configure FunctionGraph to complete data rotation within the secret.

Preparations

  1. Before creating a secret, register a Huawei Cloud account and enable Huawei Cloud services. For details, see Signing Up for a HUAWEI ID and Enabling Huawei Cloud Services.

    If you have enabled Huawei Cloud, skip this step.

  2. Before purchasing an instance, ensure that your account balance is sufficient. For details, see Top-Up and Payment.
  3. Before using a rotated secret, you need to create a database instance and database account.

Step 1: Creating a Secret

The following describes how to create a shared secret and a rotated secret.

Full lifecycle management is supported for customized secrets in different scenarios. You can use CSMS to centrally manage, retrieve, and securely store various types of secrets, such as database account passwords, server passwords, SSH keys, and access keys. Multiple versions can be managed, so you can rotate secrets.

  1. Log in to the DEW console.
  2. In the navigation pane on the left, choose Cloud Secret Management Service > Secrets. On the displayed page, click Create Secret in the upper left corner.
  3. On the displayed page, configure the parameters as shown in Figure 2.
    Figure 2 Creating a shared secret
  4. Click Next.
  5. Click Next and confirm the creation information.
  6. Click OK. In the secret list, you can view the created secrets, which are in the Enabled state by default.

Database secret leakage is the main cause of data leakage. CSMS supports RDS and TaurusDB secrets hosting, as well as automatic and manual rotation, meeting various database secret management scenarios and reducing security risks faced by service data.

  1. Log in to the DEW console.
  2. In the navigation pane on the left, choose Cloud Secret Management Service > Secrets. On the displayed page, click Create Secret in the upper left corner.
  3. On the displayed page, configure the parameter as shown in the following and retain default settings for other parameters. For details about the parameters, see Table 1.
    Figure 3 Creating a rotated secret
    Table 1 Parameters for creating a rotated secret

    Parameter

    Example Value

    Description

    Type

    Rotated secret > RDS secret

    CSMS supports the following secret types:

    • Shared secret: Automatic secret rotation is not supported.
    • Rotated secret: Automatic secret rotation is supported. The secret type can be RDS secret or TaurusDB secret.

    Database

    TaurusDB

    RDS secrets support MySQL, PostgreSQL, SQLServer, MariaDB, and TaurusDB databases.

    RDS DB Instance

    taurus_test_01

    Select the RDS instance corresponding to the target database type.

    Secret Value

    Single account

    Set Account Name and Password as required.

    Account name and password to be encrypted.
    • If Single account is selected, you need to enter an available database account.
    • If Dual account is selected, after you enter an available database account, a cloned account with the same permissions will be created. Select I understand the risks.

    KMS Encryption Key

    csms/default

    The following modes are supported:
    • Select from list: Select this if you want to use the key used or shared by the current account. Select the default key csms/default or a custom key created on KMS.
    • Enter: Enter the ID of the authorized key. Enter an encryption key if an authorized key is used. Only symmetric algorithm key IDs are supported. Do not enter an asymmetric key ID.
    NOTE:
    • CSMS encrypts secret values using the encryption key provided by KMS. When you use the KMS encryption function, KMS creates a default key csms/default for you to use.
    • For details about how to create a custom key on KMS, see Creating a Key.
    • After a grant is created, you can switch to the manual input mode, and enter the key ID to use the granted key for encryption. For details, see .
  4. Click Next. On the displayed page, enable automatic rotation and set the rotation period as required.
  5. Under Rotation function, click Create one, enter the function name, select I understand the risks, and click Next.
  6. Click OK. In the secret list, you can view the created secrets, which are in the Enabled state by default.

Step 2: Rotating Data

You need to configure FunctionGraph to use shared secrets for data rotation. For details, see the following content.