aws-cdk-lib.aws_rds.SnapshotCredentials

class SnapshotCredentials

LanguageType name
.NETAmazon.CDK.AWS.RDS.SnapshotCredentials
Gogithub.com/aws/aws-cdk-go/awscdk/v2/awsrds#SnapshotCredentials
Javasoftware.amazon.awscdk.services.rds.SnapshotCredentials
Pythonaws_cdk.aws_rds.SnapshotCredentials
TypeScript (source)aws-cdk-lib » aws_rds » SnapshotCredentials

Credentials to update the password for a DatabaseInstanceFromSnapshot.

Example

declare const vpc: ec2.Vpc;
const engine = rds.DatabaseInstanceEngine.postgres({ version: rds.PostgresEngineVersion.VER_15_2 });
const myKey = new kms.Key(this, 'MyKey');

new rds.DatabaseInstanceFromSnapshot(this, 'InstanceFromSnapshotWithCustomizedSecret', {
  engine,
  vpc,
  snapshotIdentifier: 'mySnapshot',
  credentials: rds.SnapshotCredentials.fromGeneratedSecret('username', {
    encryptionKey: myKey,
    excludeCharacters: '!&*^#@()',
    replicaRegions: [{ region: 'eu-west-1' }, { region: 'eu-west-2' }],
  }),
});

Initializer

new SnapshotCredentials()

Properties

NameTypeDescription
generatePasswordbooleanWhether a new password should be generated.
encryptionKey?IKeyKMS encryption key to encrypt the generated secret.
excludeCharacters?stringThe characters to exclude from the generated password.
password?SecretValueThe master user password.
replaceOnPasswordCriteriaChanges?booleanWhether to replace the generated secret when the criteria for the password change.
replicaRegions?ReplicaRegion[]A list of regions where to replicate the generated secret.
secret?ISecretSecret used to instantiate this Login.
username?stringThe master user name.

generatePassword

Type: boolean

Whether a new password should be generated.


encryptionKey?

Type: IKey (optional, default: default master key)

KMS encryption key to encrypt the generated secret.


excludeCharacters?

Type: string (optional, default: the DatabaseSecret default exclude character set (" %+~`#$&()|[]{}:;<>?!'/@"\"))*

The characters to exclude from the generated password.

Only used if generatePassword if true.


password?

Type: SecretValue (optional, default: the existing password from the snapshot)

The master user password.

Do not put passwords in your CDK code directly.


replaceOnPasswordCriteriaChanges?

Type: boolean (optional, default: false)

Whether to replace the generated secret when the criteria for the password change.


replicaRegions?

Type: ReplicaRegion[] (optional, default: Secret is not replicated)

A list of regions where to replicate the generated secret.


secret?

Type: ISecret (optional, default: none)

Secret used to instantiate this Login.


username?

Type: string (optional, default: the existing username from the snapshot)

The master user name.

Must be the current master user name of the snapshot. It is not possible to change the master user name of a RDS instance.

Methods

NameDescription
static fromGeneratedPassword(username, options?)Generate a new password for the snapshot, using the existing username and an optional encryption key.
static fromGeneratedSecret(username, options?)Generate a new password for the snapshot, using the existing username and an optional encryption key.
static fromPassword(password)Update the snapshot login with an existing password.
static fromSecret(secret)Update the snapshot login with an existing password from a Secret.

static fromGeneratedPassword(username, options?)

public static fromGeneratedPassword(username: string, options?: SnapshotCredentialsFromGeneratedPasswordOptions): SnapshotCredentials

Parameters

  • username string
  • options SnapshotCredentialsFromGeneratedPasswordOptions

Returns

  • SnapshotCredentials

Generate a new password for the snapshot, using the existing username and an optional encryption key.

Note - The username must match the existing master username of the snapshot.

NOTE: use fromGeneratedSecret() for new Clusters and Instances. Switching from fromGeneratedPassword() to fromGeneratedSecret() for already deployed Clusters or Instances will update their master password.


static fromGeneratedSecret(username, options?)

public static fromGeneratedSecret(username: string, options?: SnapshotCredentialsFromGeneratedPasswordOptions): SnapshotCredentials

Parameters

  • username string
  • options SnapshotCredentialsFromGeneratedPasswordOptions

Returns

  • SnapshotCredentials

Generate a new password for the snapshot, using the existing username and an optional encryption key.

The new credentials are stored in Secrets Manager.

Note - The username must match the existing master username of the snapshot.


static fromPassword(password)

public static fromPassword(password: SecretValue): SnapshotCredentials

Parameters

  • password SecretValue

Returns

  • SnapshotCredentials

Update the snapshot login with an existing password.


static fromSecret(secret)

public static fromSecret(secret: ISecret): SnapshotCredentials

Parameters

  • secret ISecret

Returns

  • SnapshotCredentials

Update the snapshot login with an existing password from a Secret.

The Secret must be a JSON string with a password field:

{
  ...
  "password": <required: password>,
}