Looking for the previous version? View v2024.06 documentation →
RDBMS JDBC Connection — AWS Secrets Manager
Establish a JDBC database connection that retrieves credentials at runtime from AWS Secrets Manager, eliminating stored passwords in Data Trust.
Overview
Data Trust can retrieve database credentials at runtime from AWS Secrets Manager instead of storing them directly in the connection profile. This integration eliminates hardcoded credentials in Data Trust and allows your security team to rotate database passwords in AWS Secrets Manager without needing to update every connection profile in Data Trust.
Prerequisites
- You are logged in to Data Trust with an Admin Pro-User role.
- An AWS Secrets Manager secret containing the database credentials has been created in your AWS account.
- The Data Trust server has an IAM role or access key that allows
secretsmanager:GetSecretValueon the target secret. - You have the AWS Secrets Manager URL (endpoint) and the Secret ARN of your secret.
Creating an RDBMS JDBC Connection using AWS Secrets Manager
Path: Data Trust › Admin Console › Connection Explorer › + New ConnectionFigure 1: Connection Explorer — click “+ New Connection” to begin creating an AWS Secrets Manager-backed connection.
Navigate to Admin Console › Connection Explorer. Click + New Connection to open the Create Connection form.
- Click + New Connection.
- Enter a unique Connection Name (e.g., RDBMS Connection using AWS Manager).
- Select your database source from the Source Name dropdown (e.g., MySql, MSSQL, Oracle).
- Select JDBC as the Type Of Connection.
Figure 2: Create Connection page — RDBMS source with JDBC type selected, showing the AWS Secrets Manager checkbox at the top of the Connection Parameters tab.
The Connection Parameters tab for a JDBC connection shows the standard fields (Connection String, User Name, Password, Driver Class) plus an AWS Secrets Manager checkbox at the very top. By default this checkbox is unchecked and the standard credential fields are active.
- Enter the Connection String (JDBC URL pointing to your RDBMS).
Figure 3: Standard JDBC connection parameters before enabling AWS Secrets Manager — Connection String, User Name, Password, Driver Class, and Default Enclosure Character.
Fill in the Connection String with your JDBC URL (e.g., jdbc:mysql://myserver:3306/mydb). The User Name and Password fields are present but will be superseded by the AWS Secrets Manager credentials once that option is enabled.
- Tick the AWS Secrets Manager checkbox at the top of the Connection Parameters tab.
Figure 4: The AWS Secrets Manager checkbox — tick this to switch from manual credentials to AWS-managed credentials.
The AWS Secrets Manager checkbox is at the top of the Connection Parameters tab. When unchecked, standard User Name and Password fields are used. Ticking the checkbox replaces those fields with the AWS Secrets Manager-specific inputs.
Figure 5: AWS Secrets Manager enabled — the form now shows URL (Secrets Manager endpoint) and Secret ARN fields instead of User Name and Password.
With AWS Secrets Manager enabled, the User Name and Password fields are replaced by: URL (the AWS Secrets Manager regional endpoint, e.g., https://secretsmanager.us-east-1.amazonaws.com) and Secret ARN (the full ARN of the secret containing the database credentials, e.g., arn:aws:secretsmanager:us-east-1:123456789:secret:mydb-creds-xxxxxx). Data Trust retrieves the credentials from this secret at query runtime.
- Enter the URL (AWS Secrets Manager regional endpoint).
- Enter the Secret ARN of the secret that holds the database credentials.
- Click Test Connection to verify the integration.
- Click Save to create the profile.
{"username": "...", "password": "..."}). The Data Trust server’s IAM role must have secretsmanager:GetSecretValue permission on the specific secret ARN.