docs.aws.amazon.com Open in urlscan Pro
18.66.147.89  Public Scan

Form analysis
0 forms found in the DOM

Text Content

SELECT YOUR COOKIE PREFERENCES

We use essential cookies and similar tools that are necessary to provide our
site and services. We use performance cookies to collect anonymous statistics so
we can understand how customers use our site and make improvements. Essential
cookies cannot be deactivated, but you can click “Customize cookies” to decline
performance cookies.

If you agree, AWS and approved third parties will also use cookies to provide
useful site features, remember your preferences, and display relevant content,
including relevant advertising. To continue without accepting these cookies,
click “Continue without accepting.” To make more detailed choices or learn more,
click “Customize cookies.”

Accept all cookiesContinue without acceptingCustomize cookies


CUSTOMIZE COOKIE PREFERENCES

We use cookies and similar tools (collectively, "cookies") for the following
purposes.


ESSENTIAL

Essential cookies are necessary to provide our site and services and cannot be
deactivated. They are usually set in response to your actions on the site, such
as setting your privacy preferences, signing in, or filling in forms.




PERFORMANCE

Performance cookies provide anonymous statistics about how customers navigate
our site so we can improve site experience and performance. Approved third
parties may perform analytics on our behalf, but they cannot use the data for
their own purposes.

Allow performance category
Allowed


FUNCTIONAL

Functional cookies help us provide useful site features, remember your
preferences, and display relevant content. Approved third parties may set these
cookies to provide certain site features. If you do not allow these cookies,
then some or all of these services may not function properly.

Allow functional category
Allowed


ADVERTISING

Advertising cookies may be set through our site by us or our advertising
partners and help us deliver relevant marketing content. If you do not allow
these cookies, you will experience less relevant advertising.

Allow advertising category
Allowed

Blocking some types of cookies may impact your experience of our sites. You may
review and change your choices at any time by clicking Cookie preferences in the
footer of this site. We and selected third-parties use cookies or similar
technologies as specified in the AWS Cookie Notice.

CancelSave preferences




UNABLE TO SAVE COOKIE PREFERENCES

We will only store essential cookies at this time, because we were unable to
save your cookie preferences.

If you want to change your cookie preferences, try again later using the link in
the AWS console footer, or contact support if the problem persists.

Dismiss


Contact Us
English


Create an AWS Account
 1. AWS
 2. ...
    
    
 3. Documentation
 4. AWS Secrets Manager
 5. User Guide

Feedback
Preferences


AWS SECRETS MANAGER


USER GUIDE

 * What is Secrets Manager?
 * Access Secrets Manager
 * Concepts
 * Tutorials
    * Amazon CodeGuru Reviewer
    * Replace hardcoded secrets
    * Replace hardcoded DB credentials
    * Alternating users rotation
    * Single user rotation

 * Authentication and access control
    * Attach a permissions policy to an identity
    * Attach a permissions policy to a secret
    * AWS managed policies
    * Determine who has permissions to your secrets
    * Cross-account access
    * Permissions for rotation
    * Permissions policy examples
    * Permissions reference

 * Create and manage secrets
    * Create a database secret
    * JSON structure of a secret
    * Create a secret
    * Update a secret value
    * Change the encryption key for a secret
    * Modify a secret
    * Find secrets
    * Delete a secret
    * Restore a secret
    * Replicate a secret to other Regions
    * Promote a replica secret to a standalone secret
    * Tag secrets

 * Retrieve secrets
    * Retrieve secrets in a batch
    * Connect to a SQL database
    * Java applications
       * SecretCache
       * SecretCacheConfiguration
       * SecretCacheHook
   
    * Python applications
       * SecretCache
       * SecretCacheConfig
       * SecretCacheHook
       * @InjectSecretString
       * @InjectKeywordedSecretString
   
    * .NET applications
       * SecretsManagerCache
       * SecretCacheConfiguration
       * ISecretCacheHook
   
    * Go applications
       * type Cache
       * type CacheConfig
       * type CacheHook
   
    * AWS Batch
    * AWS CloudFormation
    * Amazon Elastic Container Service
    * Amazon EKS
       * Tutorial
       * SecretProviderClass
   
    * GitHub jobs
    * AWS IoT Greengrass
    * AWS Lambda
    * Parameter Store

 * Rotate secrets
    * Managed rotation
    * Automatic rotation for database secrets (console)
    * Automatic rotation (console)
    * Automatic rotation (AWS CLI)
    * Rotate a secret immediately
    * Rotation function templates
    * Schedule expressions
    * Troubleshoot rotation

 * Secrets managed by other services
 * VPC endpoint
 * AWS CloudFormation
    * Create a secret
    * Create a secret with Amazon RDS credentials with automatic rotation
    * Create a secret with Amazon Redshift credentials
    * Create a secret with Amazon DocumentDB credentials

 * AWS CDK
 * Monitor secrets
    * Log with AWS CloudTrail
       * CloudTrail entries
   
    * Match Secrets Manager events with EventBridge
    * Monitor with CloudWatch
    * Monitor secrets scheduled for deletion

 * Compliance validation
    * Audit secrets for compliance

 * Security in Secrets Manager
    * Mitigate the risks of using the AWS CLI to store your AWS Secrets Manager
      secrets
    * Data protection in Secrets Manager
    * Secret encryption and decryption
    * Infrastructure security
    * Resilience
    * Post-quantum TLS

 * Troubleshooting
 * Quotas

AWS Secrets Manager secrets managed by other AWS services - AWS Secrets Manager
AWSDocumentationAWS Secrets ManagerUser Guide
Amazon AppFlowAWS Glue DataBrewAWS DataSyncAWS Direct ConnectAmazon Elastic
Container ServiceAmazon EventBridgeAWS MarketplaceAWS OpsWorks for Chef
AutomateAmazon RDS and AuroraAmazon RedshiftAmazon Redshift query editor v2


AWS SECRETS MANAGER SECRETS MANAGED BY OTHER AWS SERVICES

PDF

Many AWS services store and use secrets in AWS Secrets Manager. In some cases,
these secrets are managed secrets, which means that the service that created
them helps manage them. For example, some managed secrets include managed
rotation, so you don't have to configure rotation yourself. The managing service
might also restrict you from updating secrets or deleting them without a
recovery period, which helps prevent outages because the managing service
depends on the secret.

Managed secrets use a naming convention that includes the managing service ID to
help identify them.

Secret name: ServiceID!MySecret
Secret ARN : arn:aws:us-east-1:ServiceID!MySecret-a1b2c3

IDS FOR SERVICES THAT MANAGE SECRETS

 * appflow – Amazon AppFlow

 * databrew – AWS Glue DataBrew

 * datasync – AWS DataSync

 * directconnect – AWS Direct Connect

 * ecs-sc – Amazon Elastic Container Service

 * events – Amazon EventBridge

 * marketplace-deployment – AWS Marketplace

 * opsworks-cm – AWS OpsWorks for Chef Automate

 * rds – Amazon RDS and Aurora

 * redshift – Amazon Redshift

 * sqlworkbench – Amazon Redshift query editor v2

To find secrets that are managed by other AWS services, see Find managed
secrets.


AMAZON APPFLOW


In Amazon AppFlow, when you configure an SaaS application as a source or
destination, you create a connection. This includes information required for
connecting to the SaaS applications, such as authentication tokens, user names,
and passwords. Amazon AppFlow stores your connection data in a Secrets Manager
managed secret with the prefix appflow. The cost of storing the secret is
included with the charge for Amazon AppFlow. For more information, see Data
protection in Amazon AppFlow in the Amazon AppFlow User Guide.


AWS GLUE DATABREW


AWS Glue DataBrew provides the DETERMINISTIC_DECRYPT, DETERMINISTIC_ENCRYPT, and
CRYPTOGRAPHIC_HASH recipe steps to perform transformations on personally
identifiable information (PII) in a dataset, which use an encryption key stored
in a Secrets Manager secret. If you use the DataBrew default secret to store the
encryption key, DataBrew creates a managed secret with the prefix databrew. The
cost of storing the secret is included with the charge for using DataBrew.


AWS DATASYNC


To collect information about an on-premises storage system, AWS DataSync
Discovery uses the credentials for the storage system's management interface.
DataSync stores those credentials in a Secrets Manager managed secret with the
prefix datasync. You are charged for that secret. For more information, see
Adding your on-premises storage system to DataSync Discovery in the AWS DataSync
User Guide.


AWS DIRECT CONNECT


AWS Direct Connect stores a connectivity association key name and connectivity
association key pair (CKN/CAK pair) in a managed secret with the prefix
directconnect. The cost of the secret is included with the charge for AWS Direct
Connect. To update the secret, you must use AWS Direct Connect rather than
Secrets Manager. For more information, see Associate a MACsec CKN/CAK with a LAG
in the AWS Direct Connect User Guide.


AMAZON ELASTIC CONTAINER SERVICE


When you use Amazon ECS Service Connect, Amazon ECS uses Secrets Manager secrets
to store AWS Private Certificate Authority TLS certificates. The cost of storing
the secret is included with the charges for Amazon ECS. To update the secret,
you must use Amazon ECS rather than Secrets Manager. For more information, see
TLS with Service Connect in the Amazon Elastic Container Service Developer
Guide.


AMAZON EVENTBRIDGE


When you create an Amazon EventBridge API destination, EventBridge stores the
connection for it in a Secrets Manager managed secret with the prefix events.
The cost of storing the secret is included with the charge for using an API
destination. To update the secret, you must use EventBridge rather than Secrets
Manager. For more information, see API destinations in the Amazon EventBridge
User Guide.


AWS MARKETPLACE


When you use AWS Marketplace Quick Launch, AWS Marketplace distributes your
software along with the license key. AWS Marketplace stores the license key in
your account as a Secrets Manager managed secret. The cost of storing the secret
is included with the charges for AWS Marketplace. To update the secret, you must
use AWS Marketplace rather than Secrets Manager. For more information, see
Configure Quick Launch in the AWS Marketplace Seller Guide.


AWS OPSWORKS FOR CHEF AUTOMATE


When you create a new server in AWS OpsWorks CM, OpsWorks CM stores information
for the server in a Secrets Manager managed secret with the prefix opsworks-cm.
The cost of the secret is included in the charge for AWS OpsWorks. For more
information, see Integration with AWS Secrets Manager in the AWS OpsWorks User
Guide.


AMAZON RDS AND AURORA


To manage master user credentials for Amazon Relational Database Service (Amazon
RDS), including Aurora, Amazon RDS can create a managed secret for you. You are
charged for that secret. Amazon RDS also manages rotation for these credentials.
For more information, see Password management with Amazon RDS and AWS Secrets
Manager in the Amazon RDS User Guide and Password management with Amazon Aurora
and AWS Secrets Manager in the Amazon Aurora User Guide.

For other Amazon RDS credentials, see Create an AWS Secrets Manager database
secret.


AMAZON REDSHIFT


To manage admin credentials for Amazon Redshift, Amazon Redshift can create a
managed secret for you. You are charged for that secret. Amazon Redshift also
manages rotation for these credentials. For more information, see Managing
Amazon Redshift admin passwords using AWS Secrets Manager in the Amazon Redshift
Management Guide.

For other Amazon Redshift credentials, see Create an AWS Secrets Manager
database secret. To use a secret for credentials when you call the Data API, see
Using the Amazon Redshift Data API. To use a secret when you use the Amazon
Redshift query editor to connect to a database, see Querying a database using
the query editor in the Amazon Redshift Management Guide and Amazon Redshift
query editor v2.


AMAZON REDSHIFT QUERY EDITOR V2


When you use the Amazon Redshift query editor v2 to connect to a database,
Amazon Redshift can store your credentials in a Secrets Manager managed secret
with the prefix sqlworkbench. The cost of storing the secret is included with
the charge for using Amazon Redshift. To update the secret, you must use Amazon
Redshift rather than Secrets Manager. For more information, see Working with
query editor v2 in the Amazon Redshift Management Guide.

Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please
refer to your browser's Help pages for instructions.

Document Conventions
Troubleshoot rotation
VPC endpoint
Did this page help you? - Yes

Thanks for letting us know we're doing a good job!

If you've got a moment, please tell us what we did right so we can do more of
it.



Did this page help you? - No

Thanks for letting us know this page needs work. We're sorry we let you down.

If you've got a moment, please tell us how we can make the documentation better.





DID THIS PAGE HELP YOU?

Yes
No
Provide feedback

NEXT TOPIC:

VPC endpoint

PREVIOUS TOPIC:

Troubleshoot rotation

NEED HELP?

 * Try AWS re:Post 
 * Connect with an AWS IQ expert 

PrivacySite termsCookie preferences
© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.


ON THIS PAGE

 * Amazon AppFlow
 * AWS Glue DataBrew
 * AWS DataSync
 * AWS Direct Connect
 * Amazon Elastic Container Service
 * Amazon EventBridge
 * AWS Marketplace
 * AWS OpsWorks for Chef Automate
 * Amazon RDS and Aurora
 * Amazon Redshift
 * Amazon Redshift query editor v2








DID THIS PAGE HELP YOU? - NO



Thanks for letting us know this page needs work. We're sorry we let you down.

If you've got a moment, please tell us how we can make the documentation better.




Feedback