All Products
Search
Document Center

Key Management Service:Integrate ApsaraDB RDS secrets into DMS

更新時間:Jul 01, 2024

Data Management (DMS) supports the integration of ApsaraDB RDS secrets. If DMS needs to log on to a database on an ApsaraDB RDS instance (hereinafter referred to as an ApsaraDB RDS database), DMS can retrieve the associated ApsaraDB RDS secret from Key Management Service (KMS) in real time. This topic describes how to configure DMS to use an ApsaraDB RDS secret to log on to an ApsaraDB RDS database.

Feature description

Before you use Data Management (DMS) to manage data assets and develop databases of ApsaraDB RDS, you must register ApsaraDB RDS databases with DMS. During the registration process, you must configure the accounts of ApsaraDB RDS databases in DMS to log on to the databases.

You can enter the accounts of ApsaraDB RDS databases in DMS. You can also integrate KMS secrets into DMS. This way, you can use ApsaraDB RDS secrets to store the accounts of ApsaraDB RDS databases. DMS uses the associated ApsaraDB RDS secrets to log on to the databases. When DMS logs on to an ApsaraDB RDS database, DMS retrieves the associated ApsaraDB RDS secret from KMS in real time. The following figure shows the process in detail.

image
  1. The secret administrator creates an ApsaraDB RDS secret in KMS for an ApsaraDB RDS database.

  2. When the DMS administrator registers the ApsaraDB RDS database with DMS, the DMS administrator configures DMS to use ApsaraDB RDS secrets to log on to the ApsaraDB RDS database.

  3. The DMS administrator initiates a connection request to the ApsaraDB RDS database.

  4. DMS calls the ListSecrets and GetSecretValue operations of KMS to retrieve the ApsaraDB RDS secret from KMS in real time.

  5. DMS uses the ApsaraDB RDS secret to log on to the ApsaraDB RDS database.

Benefits of integrating ApsaraDB RDS secrets into DMS

ApsaraDB RDS secrets are integrated into DMS to improve database security and ensure secure access to database accounts.

  • ApsaraDB RDS secrets are encrypted and stored in KMS, which reduces exposure of plaintext database accounts and improves security.

  • You can configure automatic rotation for ApsaraDB RDS secrets in KMS to update the passwords of database accounts on a regular basis. This reduces security risks that may arise from not changing passwords over an extended period of time.

    Note

    DMS retrieves secret values whose stage label is ACSCurrent from KMS in real time. If you configure automatic rotation, the operation does not affect connections to ApsaraDB RDS databases. For more information about rotation, see Manage and use ApsaraDB RDS secrets and Overview.

  • KMS supports ActionTrail, which can record all access requests to ApsaraDB RDS secrets. This facilitates subsequent audit and tracing, and quick identification of unusual behavior.

Usage notes

  • To integrate ApsaraDB RDS secrets into DMS, you must purchase a KMS instance. For more information about KMS billing and selection, see Billing and Overview.

  • KMS supports the following types of ApsaraDB RDS instances: ApsaraDB RDS for MySQL, ApsaraDB RDS for MariaDB, ApsaraDB RDS for SQL Server, and ApsaraDB RDS for PostgreSQL. KMS does not support ApsaraDB RDS for SQL Server instances that run SQL Server 2017 EE.

  • ApsaraDB RDS secrets can be automatically rotated, which updates the passwords in the secrets. If your ApsaraDB RDS secret is managed in KMS, we recommend that you configure DMS to use the ApsaraDB RDS secret to log on to the database, instead of manually entering accounts. This prevents failures of logon to ApsaraDB RDS databases due to password changes.

  • Before you delete an ApsaraDB RDS secret from KMS, make sure that DMS no longer uses the ApsaraDB RDS secret. For more information about how to query usage records, see Query the usage records of keys and secrets.

Prerequisites

  • A KMS instance is purchased and enabled. For more information, see Purchase and enable a KMS instance.

  • A symmetric key is created, which is used to encrypt an ApsaraDB RDS secret when you create the ApsaraDB RDS secret. For more information, see Manage a key.

Step 1: Create an ApsaraDB RDS secret in KMS

  1. Log on to the KMS console. In the top navigation bar, select a region. In the left-side navigation pane, choose Resource > Secrets.

  2. On the Secrets page, click Database Secrets, select the ID of the KMS instance that you want to manage from the Instance ID drop-down list, and then choose Create Secret > Create Single Secret. Then, configure the parameters and click OK.

    Parameter

    Description

    Database Type

    The type of database secret that you want to create. Select ApsaraDB RDS Secrets.

    Secret Name

    The name of the secret.

    ApsaraDB RDS Instance

    The existing ApsaraDB RDS instance that you want to manage within your Alibaba Cloud account.

    Account Management

    The value cannot exceed 30,720 bytes in length, which is equivalent to 30 KB in size.

    • Manage Dual Accounts (recommended): This mode is suitable for the scenarios in which the secret is used by applications to access the ApsaraDB RDS instance. In this mode, KMS manages two accounts that have identical permissions. This mode ensures that the connections between applications and the ApsaraDB RDS instance are not interrupted when the secret is rotated.

      • Click the Create Account tab, specify a username prefix, select a database, and then specify permissions.

        Note

        KMS does not immediately create the accounts. KMS creates the accounts after you review and confirm the secret information.

      • Click the Import Existing Accounts tab, select usernames, and then specify passwords for the usernames.

        Note

        We recommend that you specify the same passwords as the passwords that you specified for the accounts when you created the ApsaraDB RDS instance. If a username and the specified password do not match, you can retrieve the valid username and password the first time the secret is rotated.

    • Manage Single Account: This mode is suitable for the scenarios in which a privileged account or a manual O&M account is managed. In this mode, the current version of the secret may be temporarily unavailable when the secret is rotated.

      • Click the Create Account tab, specify a username prefix, and then select an account type.

        You can select Standard Account or Privileged Account for the Account Type parameter. If you select Standard Account, you must select a database and specify the permissions of the account.

      • Click the Import Existing Accounts tab, select a username, and then specify a password for the username.

    CMK

    The key that is used to encrypt the secret.

    Important
    • Your key and secret must belong to the same KMS instance. The key must be a symmetric key. For more information about the symmetric keys supported by KMS, see Key types and specifications.

    • If you are a RAM user or a RAM role, you must have the permissions to call the GenerateDataKey operation by using a key.

    Tag

    The tag that you want to add to the secret. You can use tags to classify and manage secrets. A tag consists of a key-value pair.

    Note
    • A tag key or a tag value can be up to 128 characters in length and can contain letters, digits, forward slashes (/), backslashes (\), underscores (_), hyphens (-), periods (.), plus signs (+), equal sign (=), colons (:), and at signs (@).

    • A tag key cannot start with aliyun or acs:.

    • You can configure up to 20 key-value pairs for each secret.

    Automatic Rotation

    Specifies whether to enable automatic secret rotation.

    Rotation Period

    The interval of automatic secret rotation. This setting is required only when you enable Enable Automatic Rotation. The value ranges from 6 hours to 365 days.

    KMS periodically updates the secret based on the value of this parameter.

    Description

    The description of the secret.

    Policy Settings

    The policy settings of the secret. For more information, see Overview.

    You can use the default policy and then modify the policy based on your business requirements after you create the secret.

Step 2: Register the ApsaraDB RDS database with DMS

  1. Log on to the DMS console V5.0.
  2. On the Home page of the DMS console, click the add icon next to Database Instances in the left-side navigation pane.

    Note

    Alternatively, choose Data Assets > Instances in the top navigation bar. On the Instance List tab of the Instances page, click New.

  3. On the Add Instance page, enter the information about the ApsaraDB RDS instance to which the ApsaraDB RDS database belongs.

    Select Logon with KMS Secret for the Access mode parameter. For more information about how to configure other parameters, see Register an Alibaba Cloud database instance. image

References

  • You can change the access mode of an ApsaraDB RDS database from account and password-based logon to ApsaraDB RDS secret-based logon. For more information, see Modify database instances.

  • After you register a database instance with DMS, you can perform the following operations:

    • Manage the database instance, such as creating databases, creating tables in a database, and querying and modifying the table data. For more information, see Manage a database on the SQLConsole tab.

    • Change a large amount of data in a table without locking the table. You can perform this operation by using the lock-free DML feature of DMS. For more information, see Perform lock-free DML operations.

    • Export the table data. For more information, see Export data.