Updated on 2024-12-19 GMT+08:00

Secret Overview

Shared Secrets

Full lifecycle management is supported for customized secrets in different scenarios. You can use CSMS to centrally manage, retrieve, and securely store various types of secrets, such as database account passwords, server passwords, SSH keys, and access keys. Multiple versions can be managed, so you can rotate secrets.

Secret Rotation

Database secret leakage is the main cause of data leakage. CSMS supports RDS and TaurusDB secrets hosting, as well as automatic and manual rotation, meeting various database secret management scenarios and reducing security risks faced by service data.

Differences Between Shared Secrets and RDS Secrets

Table 1 Secret types

Type

Shared secret

Rotated secret

Application Scenario

Supports full lifecycle management of customized secrets in different scenarios.

  • RDS secrets: Automatically hosts Huawei Cloud RDS database secrets.
  • TaurusDB secrets: Automatically Host Huawei Cloud TaurusDB secrets.

Automatic Rotation

Not supported. Users need to trigger the rotation.

Supported. Single-user and dual-user rotation models are supported.

Using Rotated Secrets

Process description:

  1. Create a rotated secret.
  • Set the secret name and tag.
  • Configure an automatic rotation policy.
  1. An application system can request an access secret from CSMS and obtain the secret value to access the corresponding database. For details about how to call APIs, see Querying the Secret Version and Value.
  2. The application system uses the returned secret value to parse the plaintext data. After obtaining the account and password, the application system can access the target database corresponding to the user.
    • After automatic rotation is enabled, the passwords hosted by the database instance will be updated periodically. Ensure that the application that uses the database instance has completed code adaptation so that the latest secrets can be dynamically obtained when the database connection is established.
    • Do not cache any information in secrets. Otherwise, the account and password may become invalid after rotation, causing database connection failures.