Managing Amazon Redshift admin passwords using Amazon Secrets Manager - Amazon Redshift
Permissions required for Amazon Secrets Manager integrationRotating the admin password secretRetrieving the secret’s Amazon Resource Name (ARN) in Amazon Redshift Creating a secret for database connection credentialsConsiderations using Amazon Secrets Manager with Amazon Redshift
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Managing Amazon Redshift admin passwords using Amazon Secrets Manager

Amazon Redshift can integrate with Amazon Secrets Manager to generate and manage your admin credentials inside an encrypted secret. With Amazon Secrets Manager, you can replace your admin passwords with an API call to programmatically retrieve the secret when it’s needed. Using secrets instead of hard-coded credentials reduces the risk of those credentials being exposed or compromised. For more information about Amazon Secrets Manager, see the Amazon Secrets Manager User Guide.

You can specify that Amazon Redshift manages your admin password using Amazon Secrets Manager when you perform one of the following operations:

  • Creating a provisioned cluster or serverless namespace

  • Restoring a cluster or serverless namespace from a snapshot

When you specify that Amazon Redshift manages the admin password in Amazon Secrets Manager, Amazon Redshift generates the password and stores it in Secrets Manager. You can access the secret directly in Amazon Secrets Manager to retrieve the credentials for the admin user. Optionally, you can specify a customer managed key to encrypt the secret if you need to access the secret from another Amazon account. You can also use the KMS key that Amazon Secrets Manager provides.

Amazon Redshift manages the settings for the secret and rotates the secret every 30 days by default. You can manually rotate the secret at any time. If you delete a provisioned cluster or serverless namespace that manages a secret in Amazon Secrets Manager, the secret and its associated metadata are also deleted.

To connect to a cluster or serverless namespace with secret-managed credentials, you can retrieve the secret from Amazon Secrets Manager using the Secrets Manager console or the GetSecretValue Secrets Manager API call. For more information, see Retrieve secrets from Amazon Secrets Manager and Connect to a SQL database with credentials in an Amazon Secrets Manager secret in the Amazon Secrets Manager User Guide.

Permissions required for Amazon Secrets Manager integration

Users must have the required permissions to perform operations related to Amazon Secrets Manager integration. Create IAM policies that grant permissions to perform specific API operations on the specified resources they need. Then attach those policies to the IAM permission sets or roles that require those permissions. For more information, see Identity and access management in Amazon Redshift.

The user who specifies that Amazon Redshift manages the admin password in Amazon Secrets Manager must have permissions to perform the following operations:

  • secretsmanager:CreateSecret

  • secretsmanager:RotateSecret

  • secretsmanager:DescribeSecret

  • secretsmanager:UpdateSecret

  • secretsmanager:DeleteSecret

  • secretsmanager:GetRandomPassword

  • secretsmanager:TagResource

If the user wants to pass a KMS key in the MasterPasswordSecretKmsKeyId parameter for provisioned clusters, or the AdminPasswordSecretKmsKeyId parameter for serverless namespaces, they require the following permissions in addition to the permissions listed above.

  • kms:Decrypt

  • kms:GenerateDataKey

  • kms:CreateGrant

  • kms:RetireGrant

Rotating the admin password secret

By default, Amazon Redshift automatically rotates your secret every 30 days to ensure your credentials don’t stay the same for prolonged periods. When Amazon Redshift rotates an admin password secret, Amazon Secrets Manager updates the existing secret to contain a new admin password. Amazon Redshift changes the admin password for the cluster to match the password in the updated secret.

You can rotate a secret immediately instead of waiting for a scheduled rotation by using Amazon Secrets Manager. For more information on rotating secrets, see Rotate Amazon Secrets Manager secrets in the Amazon Secrets Manager User Guide.

Retrieving the secret’s Amazon Resource Name (ARN) in Amazon Redshift

You can view the Amazon Resource Name (ARN) for any secrets being managed by Amazon Secrets Manager using the Amazon Redshift console. Once you have the secret’s ARN, you can view details about your secret and the encrypted data in your secret using Amazon Secrets Manager. For more information on retrieving secrets using the ARN, see Retrieve secrets in the Amazon Secrets Manager User Guide.

Viewing the details about a secret for an Amazon Redshift provisioned cluster

View the Amazon Resource Name (ARN) for your cluster's secret using the Amazon Redshift console with the following procedure:

  1. Sign in to the Amazon Web Services Management Console and open the Amazon Redshift console.

  2. In the Cluster overview pane, choose the cluster whose secret you want to view.

  3. Choose the Properties tab.

  4. View the secret's ARN under Admin credentials ARN. This ARN is the identifier for the secret, which you can use in Amazon Secrets Manager to view the secret's details.

Viewing the details about a secret for an Amazon Redshift Serverless namespace

View the Amazon Resource Name (ARN) for your serverless namespace's secret using the Amazon Redshift console with the following procedure:

  1. Sign in to the Amazon Web Services Management Console and open the Amazon Redshift console.

  2. From the Provisioned clusters dashboard, choose Go to Serverless in the upper right of the page.

  3. From the Serverless dashboard, scroll to the Namespaces / Workgroups pane and choose the namespace whose secret you want to view.

  4. In the General information pane, view the secret's ARN under Admin credentials ARN. This ARN is the identifier for the secret, which you can use in Amazon Secrets Manager to view the secret's details.

Creating a secret for database connection credentials

You can create a Secrets Manager secret to store credentials used to connect to an Amazon Redshift provisioned cluster or Redshift Serverless namespace and workgroup. You can also use this secret when scheduling a query in Amazon Redshift query editor v2.

To create a secret for a database in an Amazon Redshift provisioned cluster using the Secrets Manager console

  1. Open the Secrets Manager console (https://console.amazonaws.cn/secretsmanager/).

  2. Navigate to the list of Secrets and choose Store a new secret.

  3. Choose Credentials for Amazon Redshift data warehouse. Enter your information in the steps to create a secret as follows:

    • In Credentials for User name, enter the name of the administrative user of the data warehouse.

    • In Credentials for Password, enter the password for the User name.

    • For Encryption key, choose your encryption key.

    • For Data warehouse, choose the Amazon Redshift provisioned cluster that contains your data.

    • For Secret name, enter a name for the secret.

    • For Description, enter a description of the secret.

    • For Tags, enter a Tag key with the word Redshift. This tag key is needed to list secrets when you attempt to connect to your data warehouse using Amazon Redshift query editor v2. The secret must have a tag key that starts with the string Redshift for the secret to be listed under Amazon Secrets Manager on the management console.

  4. Continue entering information about your secret through several steps until you Store your changes on the Review step.

    The specific values of your credentials, engine, host, port, and cluster identifier are stored in the secret. Also, the secret is tagged with the tag key Redshift.

To create a secret for a database in a Redshift Serverless namespace using the Redshift Serverless console

  1. Sign in to the Amazon Web Services Management Console and open the Amazon Redshift console at https://console.amazonaws.cn/redshiftv2/.

  2. Choose Redshift serverless and navigate to Namespace configuration.

  3. Choose a namespace for which to create secret credentials.

  4. Open Actions, Edit admin credentials.

  5. For Admin password, choose Manage admin credentials in Amazon Secrets Manager.

  6. Choose Save changes to save your changes.

Confirm that a message appears that the password successfully changed. You can also view the secret in the Secrets Manager console. You can use this secret to connect to a database in a workgroup in the Redshift Serverless console and Amazon Redshift query editor v2, using the Amazon Secrets Manager connection method. The secret must have a tag key that starts with the string "Redshift" for the secret to be listed on the query editor v2 web application. The secret must have a tag key that starts with the string Redshift for the secret to be listed under Amazon Secrets Manager on the management console.

To create a secret for a database in a Redshift Serverless namespace using the Secrets Manager console

  1. Open the Secrets Manager console (https://console.amazonaws.cn/secretsmanager/).

  2. Navigate to the list of Secrets and choose Store a new secret.

  3. Choose Credentials for Amazon Redshift data warehouse. Enter your information in the steps to create a secret as follows:

    • In Credentials for User name, enter the name of the administrative user of the data warehouse.

    • In Credentials for Password, enter the password for the User name.

    • For Encryption key, choose your encryption key.

    • For Data warehouse, choose the Redshift Serverless namespace that contains your data.

    • For Secret name, enter a name for the secret.

    • For Description, enter a description of the secret.

    • For Tags, enter a Tag key with the word Redshift. This tag key is needed to list secrets when you attempt to connect to your data warehouse using Amazon Redshift query editor v2. The secret must have a tag key that starts with the string Redshift for the secret to be listed under Amazon Secrets Manager on the management console.

  4. Continue entering information about your secret through several steps until you Store your changes on the Review step.

    The specific values of your credentials, database name, host, port, namespace, and engine are stored in the secret. Also, the secret is tagged with the tag key Redshift.

To create a secret for a database in a Redshift Serverless namespace using the Amazon CLI

You can use the Amazon CLI to create a secret. One method is to use Amazon CloudShell to run the Secrets Manager Amazon CLI command as follows. You must have the proper permissions to run the Amazon CLI commands shown in the following procedure.

  1. On the Amazon console, open the Amazon CloudShell command prompt. For more information about Amazon CloudShell, see What is Amazon CloudShell in the Amazon CloudShell User Guide.

  2. For example, for the secret MyTestSecret enter an Secrets Manager command to store the secret that is used to connect to a database or schedule an Amazon Redshift query editor v2 query. Replace the following values in the command with values for your environment:

    • admin is the administrator user name for the data warehouse.

    • passw0rd is the password of the administrator.

    • dev is the initial database name in the data warehouse.

    • region is the Amazon Web Services Region that contains the data warehouse. For example us-east-1.

    • 123456789012 is the Amazon Web Services account.

    • namespace-id is the namespace identifier similar to c3928f0e-c889-4d2b-97a5-5738324d5d3e. You can find this identifier on the Amazon Redshift console details page for the serverless namespace.

    aws secretsmanager create-secret \
--name MyTestSecret \
--description "My test secret created with the CLI." \
--secret-string "{\"username\":\"admin\",\"password\":\"passw0rd\",\"dbname\":\"dev\",\"engine\":\"redshift\"}" \
--tags "[{\"Key\":\"redshift-serverless:namespaceArn\",\"Value\":\"arn:aws:redshift-serverless:region:123456789012:namespace/namespace-id\"}]"

Considerations using Amazon Secrets Manager with Amazon Redshift

When using Amazon Secrets Manager to manage your provisioned cluster or serverless namespace’s admin credentials, consider the following:

  • When you pause a cluster whose admin credentials are managed by Amazon Secrets Manager, your cluster's secret won't be deleted and you'll continue to be billed for the secret. Secrets are only deleted when you delete the cluster.

  • If your cluster is paused when Amazon Redshift attempts to rotate its attached secret, the rotation will fail. In this case, Amazon Redshift stops auto-rotation and won’t try to rotate it again, even after you resume the cluster. You must restart the auto-rotation schedule using the secretsmanager:RotateSecret API call to continue having Amazon Secrets Manager automatically rotate your secret.

  • If your serverless namespace doesn’t have a workgroup associated when Amazon Redshift attempts to rotate its attached secret, the rotation will fail and won’t try to rotate it again, even after you attach a workgroup. You must restart the auto-rotation schedule using the secretsmanager:RotateSecret API call to continue having Amazon Secrets Manager automatically rotate your secret.