Help Center/ Data Encryption Workshop/ User Guide/ Cloud Secret Management Service/ Creating a Secret/ Creating a Rotation Secret
Updated on 2024-12-19 GMT+08:00
View PDF
Share

Creating a Rotation Secret

This section describes how to create a rotation secret on the secret management page.

You can create a secret of a different rotation type and store its value in its initial version, which is marked as SYSCURRENT.

Constraints

  • You can create a maximum of 200 secrets.
  • By default, the default key csms/default created by CSMS is used as the encryption key of the current secret. You can also create a user-defined symmetric key and use a user-defined encryption key on the KMS console.
  • RDS secrets support the following DB engines: MySQL.
  • TaurusDB is supported for TaurusDB secrets.
  • When the rotation function is enabled for the first time, CSMS automatically creates an agency for the user in the current project of the region after the user confirms the authorization. Therefore, users need to ensure that the account has the following IAM permissions: iam:permissions:grantRoleToAgencyOnProject, iam:agencies:listAgencies, iam:roles:listRoles, iam:agencies:createAgency, iam:permissions:checkRoleForAgencyOnProject and iam:roles:createRole.

    The agency to be created varies depending on the type of the secret to be rotated.

    • RDS secret
      • Create an agency named CSMSAccessFunctionGraph with account named op_svc_kms and permission named CSMSAccessFunctionGraph. The agency uses a project-level service policy, which includes the functiongraph:function:invoke permission for FunctionGraph.
      • Create an agency named FunctionGraphAgencyForRotateRDSByCSMSV3. The cloud service is FunctionGraph, and the permission name is FunctionGraphAgencyForRotateRDSByCSMSV3. The project-level service policy is used, including:
        • CSMS permissions: csms:secret:getVersion, csms:secret:listVersion, csms:secret:createVersion, csms:secret:getStage, csms:secret:get and csms:secret:updateStage.
        • VPC permissions: vpc:ports:create, vpc:vpcs:get, vpc:ports:get, vpc:ports:delete and vpc:subnets:get.
        • KMS permissions: kms:cmk:createDataKey and kms:cmk:decryptDataKey.
        • RDS permission: rds:password:update
    • TaurusDB secret
      • Create an agency named CSMSAccessFunctionGraph with account op_svc_kms and permission CSMSAccessFunctionGraph. The agency uses a project-level service policy, including the functiongraph:function:invoke permission for FunctionGraph to synchronously execute functions.
      • Create an agency named FunctionGraphAgencyForRotateGaussDBByCSMSV3. The cloud service is FunctionGraph, and the permission name is FunctionGraphAgencyForRotateGaussDBByCSMSV3. The project-level service policy is used, including:
        • CSMS permissions: csms:secretVersion:get, csms:secretVersion:list, csms:secretVersion:create, csms:secretStage:get, csms:secret:get and csms:secretStage:update.
        • VPC permissions: vpc:ports:create, vpc:vpcs:get, vpc:ports:get, vpc:ports:delete and vpc:subnets:get.
        • KMS permissions: kms:dek:create and kms:dek:decrypt.
        • TaurusDB permission: gaussdb:user:modify

Creating a Rotation Secret

  1. Log in to the management console.
  2. Click in the upper left corner and select a region or project.
  3. Click . Choose Security & Compliance > Data Encryption Workshop.
  4. In the navigation pane on the left, choose Cloud Secret Management Service.
  5. Click Create Secret and set Type to Rotated secret, as shown in Figure 1.

    Figure 1 Creating a rotated secret

  6. In the displayed Create Secret dialog box, set the parameters. For details about the parameters, see Table 1.

    Table 1 Parameters for rotated secrets

    Parameter

    Description

    Type

    Type of the created rotation secret. Choose an RDS secret. The following types are available:

    • RDS secret
    • TaurusDB secret

    Secret Name

    Secret name

    Enterprise Project

    This parameter is provided for enterprise users. If you are an enterprise user and have created an enterprise project, select the required enterprise project from the drop-down list. The default project is default.

    NOTE:

    If you have not enabled enterprise management, this parameter will not be displayed.

    Instance

    Select the service instance corresponding to the target secret type.

    NOTE:
    • RDS secrets support the following DB engines: MySQL.
    • TaurusDB is supported for TaurusDB secrets.

    Secret Value

    Account name and password to be encrypted.

    • If Single account is selected, you need to enter an available database account.
    • If Dual account is selected, after you enter an available database account, a cloned account with the same permissions is created.

    For details, see Rotation Policy.

    KMS Encryption Key

    The following keys can be selected:

  1. Enable Automatic Rotation, set the rotation period and function, select I understand the risks., and click Next. You can select an existing period or set a custom one.

    Figure 2 Enabling automatic rotation

  2. Click Next, confirm the information, and click OK.
Parent topic: Creating a Secret