Use Vault Secret Credential with AWS Secrets Manager

Describes using vault secret credentials, where the credential secret (password) is stored in AWS Secrets Manager.

You can use vault secret credentials to access cloud resources, to access other databases with database links, or use anywhere that username/password type credentials are required.

Prerequisites to Create Vault Secret Credential with AWS Secrets Manager

Describes the required prerequisites to use vault secret credentials with AWS Secrets Manager.

To create vault secret credentials where the secret is stored in AWS Secrets Manager, first perform the required prerequisites.

  1. Create a secret with AWS Secrets Manager and copy the AWS secret ARN.

    See AWS Secrets Manager for more information.

  2. Perform AWS management prerequisites to use Amazon Resource Names (ARNs).
  3. Enable AWS principal authentication to provide access to the secret in AWS Secrets Manager.

    For example, on the Autonomous Database instance run:

    BEGIN
        DBMS_CLOUD_ADMIN.ENABLE_PRINCIPAL_AUTH(                                     
              provider => 'AWS',
              params =>
                 JSON_OBJECT( 
                    'aws_role_arn' value 'arn:aws:iam::123456:role/AWS_ROLE_ARN'));
    END; 
    /

    See ENABLE_PRINCIPAL_AUTH Procedure and About Using Amazon Resource Names (ARNs) to Access AWS Resources for more information.

  4. Set up AWS to provide permissions for Amazon Resource Names (ARNs) to access the secret in AWS Secrets Manager.

    On the AWS console, you must grant read access to the secret to the principal authentication credential.

    1. In the AWS console, navigate to the IAM and select Roles in Access Management.
    2. Select the role.
    3. In the Permission tab, click Add permissionscreate inline policy.
    4. In the Service section, select secret manager as the service.
    5. In the Action section, select Read access level.
    6. In the Resources section, click Add ARN, specify ARN for secret and click Add → click Review the policy → give a policy name → click create policy.
    7. Back to the Permission tab, verify that the inline policy is attached.

Create Vault Secret Credential with AWS Secrets Manager

Describes the steps to use an AWS Secrets Manager secret with credentials.

This allows you to store a secret in AWS Secrets Manager and use the secret with the credentials you create to access cloud resources or to access other databases.

To create vault secret credentials where the secret is stored in AWS Secrets Manager:

  1. Create a secret in AWS Secrets Manager and create an inline policy to allow your Autonomous Database to access secrets in AWS Secrets Manager.
  2. Use DBMS_CLOUD.CREATE_CREDENTIAL to create a vault secret credential to access the AWS Secrets Manager secret.

    For example:

    BEGIN DBMS_CLOUD.CREATE_CREDENTIAL(
        credential_name      => 'AWS_SECRET_CRED',
        params               => JSON_OBJECT( 
             'username'   value 'access_key',
             'secret_id'  value 'arn:aws:secretsmanager:region:account-ID:secret:secret_name' ));
    END;
    /

    Where:

    • username: is the username of the original credential. It can be the username of any type of username/password credential.

    • secret_id: is the vault secret AWS ARN.

    To create a vault secret credential you must have EXECUTE privilege on the DBMS_CLOUD package.

    See CREATE_CREDENTIAL Procedure for more information.

  3. Use the credential to access a cloud resource.

    For example:

    SELECT count(*) FROM DBMS_CLOUD.LIST_OBJECTS(
         'AWS_SECRET_CRED', 
         'https://s3-us-west-2.amazonaws.com/adb/' );
Note

Every 12 hours the secret (password) is refreshed from the content in the AWS Secrets Manager. If you change the secret value in the AWS Secrets Manager, it can take up to 12 hours for the Autonomous Database instance to pick up the latest secret value.

Run DBMS_CLOUD.REFRESH_VAULT_CREDENTIAL to immediately refresh a vault secret credential. This procedure gets the latest version of the vault secret from AWS Secrets Manager. See REFRESH_VAULT_CREDENTIAL Procedure for more information.