JSON structure of Amazon Secrets Manager secrets - Amazon Secrets Manager
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

JSON structure of Amazon Secrets Manager secrets

You can store any text or binary in Secrets Manager secrets. If you want to turn on automatic rotation for a Secrets Manager secret, it must be in the correct JSON structure. During rotation, Secrets Manager uses the information in the secret to connect to the credential source and update the credentials there. The JSON key names are case-sensitive.

Note that when you use the console to store a database secret, Secrets Manager automatically creates it in the correct JSON structure.

You can add more key/value pairs to a secret, for example in a database secret, to contain connection information for replica databases in other Regions.

Amazon RDS Db2 secret structure

For Amazon RDS Db2 instances, because users can't change their own passwords, you must provide admin credentials in a separate secret.

{ "engine": "db2", "host": "<instance host name/resolvable DNS name>", "username": "<username>", "password": "<password>", "dbname": "<database name. If not specified, defaults to None>", "port": <TCP port number. If not specified, defaults to 3306>, "masterarn": "<the ARN of the elevated secret>" }

Amazon RDS MariaDB secret structure

{ "engine": "mariadb", "host": "<instance host name/resolvable DNS name>", "username": "<username>", "password": "<password>", "dbname": "<database name. If not specified, defaults to None>", "port": <TCP port number. If not specified, defaults to 3306> }

To use the Rotation strategy: alternating users, you include the masterarn for the secret that contains admin or superuser credentials.

{ "engine": "mariadb", "host": "<instance host name/resolvable DNS name>", "username": "<username>", "password": "<password>", "dbname": "<database name. If not specified, defaults to None>", "port": <TCP port number. If not specified, defaults to 3306>, "masterarn": "<the ARN of the elevated secret>" }

Amazon RDS and Amazon Aurora MySQL secret structure

{ "engine": "mysql", "host": "<instance host name/resolvable DNS name>", "username": "<username>", "password": "<password>", "dbname": "<database name. If not specified, defaults to None>", "port": <TCP port number. If not specified, defaults to 3306> }

To use the Rotation strategy: alternating users, you include the masterarn for the secret that contains admin or superuser credentials.

{ "engine": "mysql", "host": "<instance host name/resolvable DNS name>", "username": "<username>", "password": "<password>", "dbname": "<database name. If not specified, defaults to None>", "port": <TCP port number. If not specified, defaults to 3306>, "masterarn": "<the ARN of the elevated secret>" }

Amazon RDS Oracle secret structure

{ "engine": "oracle", "host": "<required: instance host name/resolvable DNS name>", "username": "<required: username>", "password": "<required: password>", "dbname": "<required: database name>", "port": <optional: TCP port number. If not specified, defaults to 1521> }

To use the Rotation strategy: alternating users, you include the masterarn for the secret that contains admin or superuser credentials.

{ "engine": "oracle", "host": "<required: instance host name/resolvable DNS name>", "username": "<required: username>", "password": "<required: password>", "dbname": "<required: database name>", "port": <optional: TCP port number. If not specified, defaults to 1521>, "masterarn": "<the ARN of the elevated secret>" }

Amazon RDS and Amazon Aurora PostgreSQL secret structure

{ "engine": "postgres", "host": "<instance host name/resolvable DNS name>", "username": "<username>", "password": "<password>", "dbname": "<database name. If not specified, defaults to 'postgres'>", "port": <TCP port number. If not specified, defaults to 5432> }

To use the Rotation strategy: alternating users, you include the masterarn for the secret that contains admin or superuser credentials.

{ "engine": "postgres", "host": "<instance host name/resolvable DNS name>", "username": "<username>", "password": "<password>", "dbname": "<database name. If not specified, defaults to 'postgres'>", "port": <TCP port number. If not specified, defaults to 5432>, "masterarn": "<the ARN of the elevated secret>" }

Amazon RDS Microsoft SQLServer secret structure

{ "engine": "sqlserver", "host": "<instance host name/resolvable DNS name>", "username": "<username>", "password": "<password>", "dbname": "<database name. If not specified, defaults to 'master'>", "port": <TCP port number. If not specified, defaults to 1433> }

To use the Rotation strategy: alternating users, you include the masterarn for the secret that contains admin or superuser credentials.

{ "engine": "sqlserver", "host": "<instance host name/resolvable DNS name>", "username": "<username>", "password": "<password>", "dbname": "<database name. If not specified, defaults to 'master'>", "port": <TCP port number. If not specified, defaults to 1433>, "masterarn": "<the ARN of the elevated secret>" }

Amazon DocumentDB secret structure

{ "engine": "mongo", "host": "<instance host name/resolvable DNS name>", "username": "<username>", "password": "<password>", "dbname": "<database name. If not specified, defaults to None>", "port": <TCP port number. If not specified, defaults to 27017>, "ssl": <true|false. If not specified, defaults to false> }

To use the Rotation strategy: alternating users, you include the masterarn for the secret that contains admin or superuser credentials.

{ "engine": "mongo", "host": "<instance host name/resolvable DNS name>", "username": "<username>", "password": "<password>", "dbname": "<database name. If not specified, defaults to None>", "port": <TCP port number. If not specified, defaults to 27017>, "masterarn": "<the ARN of the elevated secret>", "ssl": <true|false. If not specified, defaults to false> }

Amazon Redshift secret structure

{ "engine": "redshift", "host": "<instance host name/resolvable DNS name>", "username": "<username>", "password": "<password>", "dbname": "<database name. If not specified, defaults to None>", "port": <TCP port number. If not specified, defaults to 5439> }

To use the Rotation strategy: alternating users, you include the masterarn for the secret that contains admin or superuser credentials.

{ "engine": "redshift", "host": "<instance host name/resolvable DNS name>", "username": "<username>", "password": "<password>", "dbname": "<database name. If not specified, defaults to None>", "port": <TCP port number. If not specified, defaults to 5439>, "masterarn": "<the ARN of the elevated secret>" }

Amazon Redshift Serverless secret structure

{ "engine": "redshift", "host": "<instance host name/resolvable DNS name>", "username": "<username>", "password": "<password>", "dbname": "<database name. If not specified, defaults to None>", "namespaceName": <namespace name>, "port": <TCP port number. If not specified, defaults to 5439> }

To use the Rotation strategy: alternating users, you include the masterarn for the secret that contains admin or superuser credentials.

{ "engine": "redshift", "host": "<instance host name/resolvable DNS name>", "username": "<username>", "password": "<password>", "dbname": "<database name. If not specified, defaults to None>", "namespaceName": <namespace name>, "port": <TCP port number. If not specified, defaults to 5439>, "masterarn": "<the ARN of the elevated secret>" }

Amazon ElastiCache secret structure

{ "password": "<password>", "username": "<username>" "user_arn": "ARN of the Amazon EC2 user" }

For more information, see Automatically rotating passwords for users in the Amazon ElastiCache User Guide.

Active Directory secret structures

Amazon Directory Service uses secrets to store Active Directory credentials. For more information, see Seamlessly join an Amazon EC2 Linux instance to your Managed AD Active Directory in the Amazon Directory Service Administration Guide. Seamless domain join requires the key names in the following examples. If you don't use seamless domain join, you can change the names of the keys in the secret using environment variables as described in the rotation function template code.

To rotate Active Directory secrets, you can use the Active Directory rotation templates.

Active Directory credential secret structure

{ "awsSeamlessDomainUsername": "<username>", "awsSeamlessDomainPassword": "<password>" }

If you want to rotate the secret, you include the domain directory ID.

{ "awsSeamlessDomainDirectoryId": "d-12345abc6e", "awsSeamlessDomainUsername": "<username>", "awsSeamlessDomainPassword": "<password>" }

If the secret is used in conjunction with a secret that contains a keytab, you include the keytab secret ARNs.

{ "awsSeamlessDomainDirectoryId": "d-12345abc6e", "awsSeamlessDomainUsername": "<username>", "awsSeamlessDomainPassword": "<password>", "directoryServiceSecretVersion": 1, "schemaVersion": "1.0", "keytabArns": [ "<ARN of child keytab secret 1>, "<ARN of child keytab secret 2>, "<ARN of child keytab secret 3>, ], "lastModifiedDateTime": "2021-07-19 17:06:58" }

Active Directory keytab secret structure

For information about using keytab files to authenticate to Active Directory accounts on Amazon EC2, see Deploying and configuring Active Directory authentication with SQL Server 2017 on Amazon Linux 2.

{ "awsSeamlessDomainDirectoryId": "d-12345abc6e", "schemaVersion": "1.0", "name": "< name>", "principals": [ "aduser@MY.EXAMPLE.COM", "MSSQLSvc/test:1433@MY.EXAMPLE.COM" ], "keytabContents": "<keytab>", "parentSecretArn": "<ARN of parent secret>", "lastModifiedDateTime": "2021-07-19 17:06:58" "version": 1 }