Help Center/ Data Encryption Workshop/ User Guide/ Cloud Secret Management Service/ Secret Overview
Updated on 2024-05-15 GMT+08:00
View PDF
Share

Secret Overview

Shared Secrets

Full lifecycle management is supported for customized secrets in different scenarios. You can use CSMS to centrally manage, retrieve, and securely store various types of secrets, such as database account passwords, server passwords, SSH keys, and access keys. Multiple versions can be managed, so you can rotate secrets.

RDS Secrets

Database secret leakage is the main cause of data leakage. CSMS supports RDS secrets host and automatic and manual rotation, meeting various database secret management scenarios and reducing security risks faced by service data.

Differences Between Shared Secrets and RDS Secrets

Table 1 Secret differences

Type

Shared secret

RDS secret

Application Scenario

Supports full lifecycle management of customized secrets in different scenarios.

Automatically hosts Huawei Cloud RDS database secrets.

Automatic Rotation

Not supported. Users need to trigger the rotation.

Supported. Single-user and dual-user rotation models are supported.

Using RDS Secrets

Figure 1 Architecture

Process description:

  1. Create an RDS secret.
  • Set the secret name and tag.
  • Configure an automatic rotation policy.
  1. An application system can request an access secret from CSMS and obtain the secret value to access the corresponding database. For details about how to call APIs, see Querying the Secret Version and Value.
  2. The application system uses the returned secret value to parse the plaintext data. After obtaining the account and password, the application system can access the target database corresponding to the user.
    • After automatic rotation is enabled, the passwords hosted by the database instance will be updated periodically. Ensure that the application that uses the database instance has completed code adaptation so that the latest secrets can be dynamically obtained when the database connection is established.
    • Do not cache any information in secrets. Otherwise, the account and password may become invalid after rotation, causing database connection failures.