Create an Amazon Secrets Manager database secret - Amazon Secrets Manager
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Create an Amazon Secrets Manager database secret

After you create a user in Amazon RDS, Amazon Aurora, Amazon Redshift, or Amazon DocumentDB, you can store their credentials in Secrets Manager by following these steps. When you use the Amazon CLI or one of the SDKs to store the secret, you must provide the secret in the correct JSON structure. When you use the console to store a database secret, Secrets Manager automatically creates it in the correct JSON structure.


For Amazon RDS and Amazon Redshift admin user credentials, we recommend you use managed secrets. You create the managed secret through the managing servce, and then you can use managed rotation.

When you store database credentials for a source database that is replicated to other Regions, the secret contains connection information for the source database. If you then replicate the secret, the replicas are copies of the source secret and contain the same connection information. You can add additional key/value pairs to the secret for regional connection information.

To create a secret, you need the permissions granted by the SecretsManagerReadWrite Amazon managed policies.

Secrets Manager generates a CloudTrail log entry when you create a secret. For more information, see Log Amazon Secrets Manager events with Amazon CloudTrail.

To create a secret (console)
  1. Open the Secrets Manager console at

  2. Choose Store a new secret.

  3. On the Choose secret type page, do the following:

    1. For Secret type, choose the type of database credentials to store:

      • Amazon RDS database (includes Aurora)

      • Amazon DocumentDB database

      • Amazon Redshift data warehouse

    2. For Credentials, enter the credentials for the database.

    3. For Encryption key, choose the Amazon KMS key that Secrets Manager uses to encrypt the secret value. For more information, see Secret encryption and decryption.

      • For most cases, choose aws/secretsmanager to use the Amazon managed key for Secrets Manager. There is no cost for using this key.

      • If you need to access the secret from another Amazon Web Services account, or if you want to use your own KMS key so that you can rotate it or apply a key policy to it, choose a customer managed key from the list or choose Add new key to create one. For information about the costs of using a customer managed key, see Pricing.

        You must have Permissions for the KMS key. For information about cross-account access, see Access Amazon Secrets Manager secrets from a different account.

    4. For Database, choose your database.

    5. Choose Next.

  4. On the Configure secret page, do the following:

    1. Enter a descriptive Secret name and Description. Secret names must contain 1-512 Unicode characters.

    2. (Optional) In the Tags section, add tags to your secret. For tagging strategies, see Tag Amazon Secrets Manager secrets. Don't store sensitive information in tags because they aren't encrypted.

    3. (Optional) In Resource permissions, to add a resource policy to your secret, choose Edit permissions. For more information, see Attach a permissions policy to an Amazon Secrets Manager secret.

    4. (Optional) In Replicate secret, to replicate your secret to another Amazon Web Services Region, choose Replicate secret. You can replicate your secret now or come back and replicate it later. For more information, see Replicate secrets across Regions.

    5. Choose Next.

  5. (Optional) On the Configure rotation page, you can turn on automatic rotation. You can also keep rotation off for now and then turn it on later. For more information, see Rotate secrets. Choose Next.

  6. On the Review page, review your secret details, and then choose Store.

    Secrets Manager returns to the list of secrets. If your new secret doesn't appear, choose the refresh button.

Amazon CLI

When you enter commands in a command shell, there is a risk of the command history being accessed or utilities having access to your command parameters. See Mitigate the risks of using the Amazon CLI to store your Amazon Secrets Manager secrets.

Example Create a secret from credentials in a JSON file

The following create-secret example creates a secret from credentials in a file. For more information, see Loading Amazon CLI parameters from a file in the Amazon CLI User Guide.

For Secrets Manager to be able to rotate the secret, you must make sure the JSON matches the JSON structure of a secret.

aws secretsmanager create-secret \ --name MyTestSecret \ --secret-string file://mycreds.json

Contents of mycreds.json:

{ "engine": "mysql", "username": "saanvis", "password": "EXAMPLE-PASSWORD", "host": "", "dbname": "myDatabase", "port": "3306" }

Amazon SDK

To create a secret by using one of the Amazon SDKs, use the CreateSecret action. For more information, see Amazon SDKs.