Secrets Manager can deliver rotation events of dynamic ApsaraDB RDS secrets to CloudMonitor. You can query the rotation events and create event-triggered alert rules in the CloudMonitor console. This way, you can receive alert notifications for events and automate the event handling process.
Query rotation events
Log on to the CloudMonitor console.
In the left-side navigation pane, choose .
On the Event Monitoring tab, select Key Management Service (KMS) from the All Products drop-down list. Then, configure the alert level of the event, the event name, and the time range to query.
Find the system event that you want to view and click Details in the Actions column.
The event details are displayed in JSON format.
Create an event-triggered alert rule
You can create event-triggered alert rules to monitor the rotation of dynamic ApsaraDB RDS secrets and automate the event handling process. For example, you can monitor failed rotation of dynamic ApsaraDB RDS secrets and use Function Compute to automatically resolve the failure.
Log on to the CloudMonitor console.
In the left-side navigation pane, choose .
On the Event Monitoring tab, click Save as Alert Rule.
Click Create Alert Rule.
In the Create/Modify Event-triggered Alert Rule panel, configure the parameters and click OK.
Parameter
Description
Alert Rule Name
The name of the event-triggered alert rule. Example: secrets_rotation_failed or secrets_rotation_success.
Product Type
The service whose events you want to manage. Select Key Management Service (KMS).
Event Type
The type of the event. Valid values:
Exception: CloudMonitor sends alert notifications only for failed rotation of dynamic ApsaraDB RDS secrets.
Notification: CloudMonitor sends alert notifications only for successful rotation of dynamic ApsaraDB RDS secrets.
All Types: CloudMonitor sends alert notifications for all rotation events of dynamic ApsaraDB RDS secrets.
Event Level
The alert level of the event. Valid values:
CRITICAL: Select this option for failed rotation of dynamic ApsaraDB RDS secrets.
INFO: Select this option for successful rotation of dynamic ApsaraDB RDS secrets.
Event Name
The name of the event. Valid values:
Secret:RotateSecret:Failure: CloudMonitor sends alert notifications only for failed rotation of dynamic ApsaraDB RDS secrets.
Secret:RotateSecret:Success: CloudMonitor sends alert notifications only for successful rotation of dynamic ApsaraDB RDS secrets.
All Events: CloudMonitor sends alert notifications for all rotation events of dynamic ApsaraDB RDS secrets.
NoteWe recommend that you do not select All Events. We also recommend that you create different event-triggered alert rules based on the impacts of different events on your business.
Keyword Filtering
The keyword that is used to filter alert rules. Valid values:
Contains any of the keywords: If the alert rule contains any one of the specified keywords, no alert notifications are sent.
Does not contain any of the keywords: If the alert rule does not contain any one of the specified keywords, no alert notifications are sent.
SQL Filter
The SQL statements that are used to filter alert rules.
Resource Range
The resources that you want to manage. Select All Resources. CloudMonitor sends alert notifications for events of all resources based on your configurations.
Notification Method
The notification method and message processing method when an event-triggered alert is generated.
Alert Notification:
Contact Group: The default value is Alert Contacts Within the Alibaba Cloud Account.
Notification Method:
Critical (Phone Call + Text Message + Email + Webhook)
Warning (SMS + Text Message + Webhook)
Info (Email + Webhook)
Message processing method: You can select Simple Message Queue (formerly MNS) , Function Compute, URL Callback, and Log Service to automate the event handling process.
Mute for
The interval at which CloudMonitor sends alert notifications. If the metric for which a notification is sent still exceeds the threshold, another alert notification is sent.
Alert notification content
An alert notification is in the <Resource type>:<Operation that was performed on the resource>:<Result> format. After you create an event-triggered alert rule for rotation events of dynamic ApsaraDB RDS secrets, the system sends alert notifications based on the rotation result.
Secret:RotateSecret:Failure: the failed rotation of dynamic ApsaraDB RDS secrets.You can view the information about rotation of dynamic ApsaraDB RDS secrets in the
contentfield of the event. The information includes theRotationEntityArnfield that indicates the ID of the ApsaraDB RDS instance associated with the secret and thefailureInfofield that indicates the failure cause. Example:{ "product": "KMS", "eventTime": "20180816T135935.689+0800", "level": "CRITICAL", "name": "Secret:RotateSecret:Failure", "regionId": "cn-hangzhou", "resourceId": " acs:kms:cn-hangzhou:123456789:secret/secretId", "status": "Failed", "content": { "eventId": "eventId", "secretName": "SecretName", "secretType": "Rds", "RotationEntityArn": "acs:rds:$regionId:$accountId:dbinstance/$dbinstanceid", "rotationStatus": "Invalid", "rotationSubType": "SingleUser", "failureInfo": { "errorCode": "Kms:ErrorCode", "errorMessage": "errorMessage" }, "failureTime": "2012-03-12T05:55:36Z" }, "ver": "1.0" }Secret:RotateSecret:Success: the successful rotation of dynamic ApsaraDB RDS secrets.Example:
{ "product":"KMS", "instanceName":"secretId", "level":"INFO", "name":"Secret:RotateSecret:Success", "regionId":"cn-hangzhou", "resourceId":" acs:kms:cn-hangzhou:123456789:secret/secretId", "status":"Normal", "content":{ "eventId": "eventId", "secretName": "SecretName", "secretType": "Rds", "RotationEntityArn": "acs:rds:$regionId:$accountId:dbinstance/$dbinstanceid", "rotationStatus": "Enabled", "secretSubType": "SingleUser", "successTime": "2012-03-12T05:55:36Z" }, "ver":"1.0" }