Skip to content

(aws-rds): database connection string in generated secret (secret manager) #23613

New issue
New issue
Open
#36762
Open
(aws-rds): database connection string in generated secret (secret manager)#23613
#36762
Labels
@aws-cdk/aws-rdsRelated to Amazon Relational Databasefeature-requestA feature should be added or improved.p3
@snebjorn

Description

@snebjorn
snebjorn
opened on Jan 9, 2023

Describe the feature

It would be handy to have a "ready to use" connection string.
Currently it's a hassle to transform the RDS secret from the secret manager into a connection string.
It involves unsafeUnwrap and generating a secret in the Systems Manager Parameter Store based on the values in the Secret Manager.

Use Case

var database = new DatabaseInstance(stack, 'my-database', {
  // rest omitted ...
});

new ApplicationLoadBalancedFargateService(stack, 'my-fargate', {
  taskImageOptions: {
    secrets: [{
      'ConnectionStrings__MyDatabase': Secret.fromSecretsManager(database.secret, 'connectionString')
    }]
  },
  // rest omitted ...
});

Proposed Solution

A default connection string for each supported database type would nice.

// default SQL Server connection string
Server=myServerAddress;Database=myDataBase;User Id=myUsername;Password=myPassword;

However connection strings are highly configurable. So it would be ideal to be able to alter it.
It's actually necessary as the Database=...; parameter is application specific and required.

new DatabaseInstance(stack, 'my-database', {
  // rest omitted ... 
  credentials: Credentials.fromGeneratedSecret('admin', {
    // {{key}} refers to keys in the generated json secret
    // note `Database=MyDatabaseName` is hardcoded as it's not in the secret manager
    connectionStringTemplate: 'Server={{host}},{{port}};Database=MyDatabaseName;User Id={{username}};Password={{password}};'
  }),
});

This way it would be easy to alter the connection sting:

{
  connectionStringTemplate: 'Server={{host}},{{port}};Database=MyDatabaseName;User Id={{username}};Password={{password}};MultipleActiveResultSets=True;'
}

A version of Credentials.fromGeneratedSecret that only accepts the options would also be welcome, because then the connectionStringTemplate can be configured without hardcoding a username.

Credentials.fromGeneratedSecret({
  connectionStringTemplate: 'Server={{host}},{{port}};Database=MyDatabaseName;User Id={{username}};Password={{password}};'
})

Other Information

Another solution could be to extract a configurable connection string from the secret manager:

Secret.connectionStringFromSecretsManager(database.secret, {
  // {{key}} refers to keys in the generated json secret
  // note `Database=MyDatabaseName` is hardcoded as it's not in the secret manager
  connectionStringTemplate: 'Server={{host}},{{port}};Database=MyDatabaseName;User Id={{username}};Password={{password}};'
})

Found other people with the same issue:

Acknowledgements

  • I may be able to implement this feature request
  • This feature might incur a breaking change

CDK version used

2.55.0

Environment details (OS name and version, etc.)

Not relevant

Metadata

Metadata

Assignees

No one assigned

    Labels

    @aws-cdk/aws-rdsRelated to Amazon Relational Databasefeature-requestA feature should be added or improved.p3

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions