Help Center/ Data Encryption Workshop/ User Guide/ Cloud Secret Management Service/ Creating a Secret/ Creating an RDS Secret
Updated on 2024-05-15 GMT+08:00
View PDF
Share

Creating an RDS Secret

This section describes how to create an RDS secret on the secret management page.

You can create a secret and store its value in its initial version, which is marked as SYSCURRENT.

Constraints

  • A user can create a maximum of 200 secrets.
  • By default, the default key csms/default created by CSMS is used as the encryption key of the current secret. You can also create a user-defined symmetric key and use a user-defined encryption key on the KMS console.
  • MySQL is supported for RDS secrets. Currently, the SQL Server database is not supported.
  • The RDS secrets are available in the following regions: CN North-Beijing4, CN East-Shanghai1, CN South-Guangzhou, CN-Hong Kong, AP-Singapore, and LA-Sao Paulo1.

Creating a Shared Secret

  1. Log in to the management console.
  2. Click in the upper left corner of the management console and select a region or project.
  3. Click . Choose Security & Compliance > Data Encryption Workshop.
  4. In the navigation pane, choose Cloud Secret Management Service.
  5. Click Create Secret and select the RDS DB instance secret, as shown in Figure 1.

    Figure 1 RDS DB instance secret

  6. In the Create Secret dialog box, set the parameters. For details about the parameters, see Table 1.

    Table 1 RDS secret parameters

    Parameter

    Description

    Type

    Secret type. Choose RDS DB instance secret.

    Secret Name

    Secret name

    Enterprise Project

    This parameter is provided for enterprise users. If you are an enterprise user and have created an enterprise project, select the required enterprise project from the drop-down list. The default project is default.

    NOTE:

    If you have not enabled enterprise management, this parameter will not be displayed.

    RDS DB Instance

    Choose the instance you created on the RDS console.

    NOTE:

    Currently, only MySQL databases are supported.

    Secret Value

    Secret key/value pair and the plaintext secret to be encrypted

    • If Single account is selected, you need to enter an available database account.
    • If Dual account is selected, you need to enter two available database accounts.

    For details about the differences, see Rotation Policy.

    Description

    Description of a secret

    KMS Encryption Key

    The following keys can be selected:

    1. The default key csms/default
    2. The custom key you created on KMS. For details, see Creating a Key.
    3. After a grant is created, you can switch to the manual input mode, and enter the key ID to use the granted key for encryption. For details, see Creating a Grant.

    Tag (optional)

    You can add tags to a secret as you need.

    NOTE:

    You can add at most 20 tags to a secret.

    Associated Event

    Select an associated event for the secret. You can check information such as secret rotation and version expiration.

  7. Click Next and set the rotation period.

    If the automatic rotation function is disabled, you need to manually rotate the secrets. To enable automatic rotation, click Set Rotation Policy on the secret details page, enable automatic rotation, and set the rotation period.

  1. Toggle on the automatic rotation switch and select a rotation period. You can select a preset rotation period or customize a rotation period.

    The value ranges from 6 hours to 8,760 hours. The default value is 6 hours.
    Figure 2 Selecting a rotation period

  2. Select the risk warning and click Next.

    Figure 3 Secret information

  3. Click OK. A message is displayed in the upper right corner of the page, indicating that the secret is created successfully.
  4. You can view the created secrets in the secret list, as shown in Figure 4. The default status of a secret is Enabled.

    Figure 4 Secret list

Parent topic: Creating a Secret