Creating a Database Credential

Last updated: 2021-10-14 10:09:36

Scenarios

You want to enable rotation and encryption for database credential created in the SSM console, securing your data while reducing disclosure risks and security threats to your account.

Prerequisites

Before using database credentials, please note the following prerequisites:

Directions

  1. Log in to the SSM Console and click Database Credential on the left sidebar.
  2. Click the drop-down button in the top left corner of the credential list to modify the region.
  3. Click Create in the top left corner of the credential list.
  4. Enter the information required to create a credential and click OK. The credential will be displayed at the top of the credential list.

Fields

Basic settings

  • Secret Name: supports 1–128 bytes of letters, digits, hyphens (-), and underscores (_). It must start with a letter or digit.
  • Description: contains information of a credential using up to 2048 bytes (optional).

Database account settings

  • Bound Instance: a MySQL instance or TDSQL instance of your choice.
  • Account Prefix: contains 12 characters of lower-case letters and digits. It must start with a letter.
    Note:

    Two account names will be generated in the format of [prefix]SSM[three random digits]. These two account names will be shifted for rotation.

  • Server:
    • Must be in IP format. % is supported.
    • Multiple servers should be separated with a carriage return or space.
  • Authorization: enables you to set permissions on the database.

Rotation settings

  • Rotation Status: with rotation enabled, SSM will update the database credential password periodically. It is recommended to enable rotation for safety.
  • Rotation Cycle: ranges from 30 days to 365 days.
  • Next Rotation Start: enables you to set the start time (in seconds) for next rotation as needed.

Others

  • Tag: optional item.
  • Encryption Key:
    • Use the default CMK that SSM has created in KMS.
    • Use a custom encryption key.
Note:

If you are using SSM, you have activated KMS. You can create an encryption key in either of the following ways:

  • Use the default Tencent Cloud managed CMK created in the KMS console as encryption key, and use the envelope encryption method for encrypted storage.
  • Use a custom key created in the KMS console as encryption key for encrypted storage.