Selecting an RDS DB for newly created secrets in AWS CLI

Question

While I try to create a new secrets for RDS using AWS CLI, I couldn't find the way where I could associate my secrets to RDS DB on creation itself.I have gone through the AWS CLI( https://docs.aws.amazon.com/cli/latest/reference/secretsmanager/create-secret.html ) and wasn't able to find a way for its association.

Do I need to do this step manually by logging into the console or could this be automated in some way? Could anyone please help.

Thanks.

Answer 1

The association is only based on the form of the secret-string . For the RDS the forms are listed here .

For instance, for mysql the form of the secret-string is as follows:

{
  "engine": "mysql",
  "host": "<required: instance host name/resolvable DNS name>",
  "username": "<required: username>",
  "password": "<required: password>",
  "dbname": "<optional: database name. If not specified, defaults to None>",
  "port": "<optional: TCP port number. If not specified, defaults to 3306>"
}

Thus, to create the secret for mysql using CLI:

1. Create file called mydb.json (example):

{
  "username": "admin",
  "password": "asdf435325gfdg",
  "engine": "mysql",
  "host": "database-2.cba4sasaubqv.us-east-1.rds.amazonaws.com",
  "port": 3306,
  "dbInstanceIdentifier": "database-2"
}

2. Execute:

aws secretsmanager create-secret --name mysql-info  --secret-string file://mydb.json

The more confusing CLI part begins when you want to enable an automatic secret rotations. I will just leave a link for that (it also has CLI info) if you are interested in this as well:

• Enabling Rotation for an Amazon RDS Database Secret