Secrets Manager can deliver rotation events of dynamic ApsaraDB RDS secrets to CloudMonitor. You can query the rotation events and create event-triggered alert rules in the CloudMonitor console. This way, you can receive alert notifications for events and automate the event handling process.

Query rotation events

  1. Log on to the CloudMonitor console.
  2. In the left-side navigation pane, choose Event Monitoring > System Event.
  3. On the Event Monitoring tab, select Key Management Service (KMS) from the All Products drop-down list. Then, configure the alert level of the event, the event name, and the time range to query.
  4. Find the system event that you want to view and click Details in the Actions column.
    The event details are displayed in JSON format.

Create an event-triggered alert rule

You can create event-triggered alert rules to monitor the rotation of dynamic ApsaraDB RDS secrets and automate the event handling process. For example, you can monitor failed rotation of dynamic ApsaraDB RDS secrets and use Function Compute to automatically resolve the failure.

  1. Log on to the CloudMonitor console.
  2. In the left-side navigation pane, choose Event Monitoring > System Event.
  3. Click the Event-triggered Alert Rules tab.
  4. Click Create Alert Rule.
  5. In the Create/Modify Event-triggered Alert Rule panel, configure the parameters and click OK.
    Parameter Description
    Alert Rule Name The name of the event-triggered alert rule. Example: secrets_rotation_failed or secrets_rotation_success.
    Product Type The service whose events you want to manage. Select Key Management Service (KMS).
    Event Type The type of the event. Valid values:
    • Exception: CloudMonitor sends alert notifications only for failed rotation of dynamic ApsaraDB RDS secrets.
    • Notification: CloudMonitor sends alert notifications only for successful rotation of dynamic ApsaraDB RDS secrets.
    • All Types: CloudMonitor sends alert notifications for all rotation events of dynamic ApsaraDB RDS secrets.
    Event Level The alert level of the event. Valid values:
    • CRITICAL: Select this option for failed rotation of dynamic ApsaraDB RDS secrets.
    • INFO: Select this option for successful rotation of dynamic ApsaraDB RDS secrets.
    Event Name The name of the event. Valid values:
    • Secret:RotateSecret:Failure: CloudMonitor sends alert notifications only for failed rotation of dynamic ApsaraDB RDS secrets.
    • Secret:RotateSecret:Success: CloudMonitor sends alert notifications only for successful rotation of dynamic ApsaraDB RDS secrets.
    • All Events: CloudMonitor sends alert notifications for all rotation events of dynamic ApsaraDB RDS secrets.
      Note We recommend that you do not select All Events. We also recommend that you create different event-triggered alert rules based on the impacts of different events on your business.
    Keyword Filtering The keyword that is used to filter alert rules. Valid values:
    • Contains any of the keywords: If the alert rule contains any one of the specified keywords, no alert notifications are sent.
    • Does not contain any of the keywords: If the alert rule does not contain any one of the specified keywords, no alert notifications are sent.
    SQL Filter The SQL statements that are used to filter alert rules.
    Resource Range The resources that you want to manage. Select All Resources. CloudMonitor sends alert notifications for events of all resources based on your configurations.
    Notification Method The notification method and message processing method when an event-triggered alert is generated.
    • Alert Notification:
      • Contact Group: The default value is Alert Contacts Within the Alibaba Cloud Account.
      • Notification Method:
        • Critical (Phone Call + Text Message + Email + Webhook)
        • Warning (SMS + Text Message + Webhook)
        • Info (Email + Webhook)
    • Message processing method: You can select MNS Queue, Function Compute, URL Callback, and Log Service to automate the event handling process.
    Mute for The interval at which CloudMonitor sends alert notifications. If the metric for which a notification is sent still exceeds the threshold, another alert notification is sent.

Alert notification content

An alert notification is in the <Resource type>:<Operation that was performed on the resource>:<Result> format. After you create an event-triggered alert rule for rotation events of dynamic ApsaraDB RDS secrets, the system sends alert notifications based on the rotation result.
  • Secret:RotateSecret:Failure: the failed rotation of dynamic ApsaraDB RDS secrets.
    You can view the information about rotation of dynamic ApsaraDB RDS secrets in the content field of the event. The information includes the RotationEntityArn field that indicates the ID of the ApsaraDB RDS instance associated with the secret and the failureInfo field that indicates the failure cause. Example:
    {
    "product": "KMS",
    "eventTime": "20180816T135935.689+0800",
    "level": "CRITICAL",
    "name": "Secret:RotateSecret:Failure",
    "regionId": "cn-hangzhou",
    "resourceId": " acs:kms:cn-hangzhou:123456789:secret/secretId",
    "status": "Failed",
    "content": {
        "eventId": "eventId",
        "secretName": "SecretName",
        "secretType": "Rds",
        "RotationEntityArn": "acs:rds:$regionId:$accountId:dbinstance/$dbinstanceid",
        "rotationStatus": "Invalid",
        "rotationSubType": "SingleUser",
        "failureInfo": {
            "errorCode": "Kms:ErrorCode",
            "errorMessage": "errorMessage"
        },
        "failureTime": "2012-03-12T05:55:36Z"
    },
    "ver": "1.0"
}
  • Secret:RotateSecret:Success: the successful rotation of dynamic ApsaraDB RDS secrets.

    Example:

    {
    "product":"KMS",
    "instanceName":"secretId", 
    "level":"INFO",
    "name":"Secret:RotateSecret:Success",
    "regionId":"cn-hangzhou",
    "resourceId":" acs:kms:cn-hangzhou:123456789:secret/secretId",
    "status":"Normal",
       "content":{
      "eventId": "eventId",
      "secretName": "SecretName",
      "secretType": "Rds",
      "RotationEntityArn": "acs:rds:$regionId:$accountId:dbinstance/$dbinstanceid",
      "rotationStatus": "Enabled",
      "secretSubType": "SingleUser",
      "successTime": "2012-03-12T05:55:36Z"
    },
    "ver":"1.0"
}