Help Center/ Data Encryption Workshop/ User Guide/ Cloud Secret Management Service/ Managing Secret Versions/ Rotation Secret Version
Updated on 2024-12-19 GMT+08:00
View PDF
Share

Rotation Secret Version

This section describes how to rotate secret versions on the secret details page.

Constraints

  • The secret type is rotation secret.
  • The secret account must be an existing database account.
  • When the rotation function is enabled for the first time, CSMS automatically creates an agency for the user in the current project of the region after the user confirms the authorization. Therefore, users need to ensure that the account has the following IAM permissions: iam:permissions:grantRoleToAgencyOnProject, iam:agencies:listAgencies, iam:roles:listRoles, iam:agencies:createAgency, iam:permissions:checkRoleForAgencyOnProject and iam:roles:createRole.

    The agency to be created varies depending on the type of the secret to be rotated.

    • RDS secret
      • Create an agency named CSMSAccessFunctionGraph with account named op_svc_kms and permission named CSMSAccessFunctionGraph. The agency uses a project-level service policy, which includes the functiongraph:function:invoke permission for FunctionGraph.
      • Create an agency named FunctionGraphAgencyForRotateRDSByCSMSV3. The cloud service is FunctionGraph, and the permission name is FunctionGraphAgencyForRotateRDSByCSMSV3. The project-level service policy is used, including:
        • CSMS permissions: csms:secret:getVersion, csms:secret:listVersion, csms:secret:createVersion, csms:secret:getStage, csms:secret:get and csms:secret:updateStage.
        • VPC permissions: vpc:ports:create, vpc:vpcs:get, vpc:ports:get, vpc:ports:delete and vpc:subnets:get.
        • KMS permissions: kms:cmk:createDataKey and kms:cmk:decryptDataKey.
        • RDS permission: rds:password:update
    • TaurusDB secret
      • Create an agency named CSMSAccessFunctionGraph with account op_svc_kms and permission CSMSAccessFunctionGraph. The agency uses a project-level service policy, including the functiongraph:function:invoke permission for FunctionGraph to synchronously execute functions.
      • Create an agency named FunctionGraphAgencyForRotateGaussDBByCSMSV3. The cloud service is FunctionGraph, and the permission name is FunctionGraphAgencyForRotateGaussDBByCSMSV3. The project-level service policy is used, including:
        • CSMS permissions: csms:secretVersion:get, csms:secretVersion:list, csms:secretVersion:create, csms:secretStage:get, csms:secret:get and csms:secretStage:update.
        • VPC permissions: vpc:ports:create, vpc:vpcs:get, vpc:ports:get, vpc:ports:delete and vpc:subnets:get.
        • KMS permissions: kms:dek:create and kms:dek:decrypt.
        • TaurusDB permission: gaussdb:user:modify

Manual Rotation

  1. Log in to the management console.
  2. Click in the upper left corner of the management console and select a region or project.
  3. Click on the left. Choose Security & Compliance > Data Encryption Workshop.
  4. In the navigation pane on the left, choose Cloud Secret Management Service > Secrets. The Cloud Secret Management Service page is displayed.
  5. Click a secret name to go to the details page.
  1. In the Version area, click Rotate Now.
  2. On the displayed page, enter ROTATE, and click OK.
  3. Wait until a message is displayed in the upper right corner, indicating the rotation starts now.
  4. After the version is rotated, the latest secret version is in SYSCURRENT state.

Automatic Rotation

  1. Log in to the management console.
  2. Click in the upper left corner of the management console and select a region or project.
  3. Click on the left. Choose Security & Compliance > Data Encryption Workshop.
  4. In the navigation pane on the left, choose Cloud Secret Management Service > Secrets. The Cloud Secret Management Service page is displayed.
  5. Click a secret name to go to the details page.
  6. Click Set Rotation Policy in the upper right corner. On the Set Rotation Policy page, toggle on the Automatic Rotation switch, as shown in Figure 1.

    Figure 1 Automatic rotation

  7. Set an automatic rotation period, select the risk warning, and click OK. A message indicating the rotation policy is set successfully is displayed in the upper right corner.
  8. After automatic rotation is enabled, if the secret version fails to be rotated, you can view the number of rotation failures in the current version area. You can click the number of rotation failures to view the rotation failure records.

    • If the rotation fails for three consecutive times, the automatic rotation button of the secret is disabled.
    • Rotation failure records cannot be manually deleted. They are stored for one month and will be automatically deleted after one month.

Parent topic: Managing Secret Versions