Skip to main content
Welcome back. In the previous lesson we stored an RDS username and password manually in AWS Secrets Manager. In this lesson we’ll enable the RDS option that stores and manages the DB master credentials directly in AWS Secrets Manager at database creation time. Note: this integration is not available for all RDS engines and deployment types — check the AWS documentation for engine/version support and limitations:

Quick overview

  • Enable “Manage master credentials in AWS Secrets Manager” when creating the RDS instance.
  • RDS will create a Secrets Manager secret with the generated master username and password.
  • Secrets Manager can optionally enable automatic rotation for that secret and (when configured) will update the RDS master password.
  • Your application must fetch the current credentials from Secrets Manager (or use a secure cache) so it continues to work after rotation.

Create the database and enable Secrets Manager

  1. Open the RDS console and click Create database.
A screenshot of the Amazon Web Services RDS console dashboard showing resource usage, quotas, and links. The main pane includes a prominent "Create database" button while the left sidebar lists RDS navigation items.
  1. Choose Standard create and select PostgreSQL as the engine. Keep defaults where appropriate and pick a Free tier instance class (or another instance class you prefer).
  2. In the Credentials section enable Manage master credentials in AWS Secrets Manager. When enabled, RDS will generate and store the master username and password in Secrets Manager and can optionally enable rotation for that secret.
A screenshot of the AWS RDS console during DB instance setup. It shows credentials settings (master username "postgres" with the option to manage credentials in AWS Secrets Manager), encryption key selection, and the instance class set to db.t3.micro.
  1. Scroll through the remaining settings, adjust networking/security as required (VPC, subnets, security groups), and click Create database.
Database provisioning typically takes ~10–15 minutes. Wait until the DB status shows Available.

Verify the secret created by RDS

Once the DB is available, choose View details. You will see the master username and an indication that the master credentials are managed by AWS Secrets Manager. RDS creates the corresponding secret in Secrets Manager during DB creation.
A screenshot of an AWS RDS console dialog titled "Connection details to your database database-1." It shows the master username "postgres," the database endpoint, and links to manage credentials and learn how to connect.
Click Manage credentials to open the secret in AWS Secrets Manager. The secret contains metadata (tags, ARN, name) that your application will reference. Scroll down to view the secret value and click Retrieve secret value to reveal the stored username and password. Because of IAM permissions, a regular user might not have permission to retrieve the secret value. In this demo the account has administrative privileges and can view the secret.
A screenshot of the AWS Secrets Manager console showing a secret with key/value entries (username: postgres and a password) and a rotation configuration set to 7 days. The page also shows sections for resource permissions and sample code.

Sample code — retrieve the secret and connect to PostgreSQL

Below are code examples provided by Secrets Manager that demonstrate retrieving the secret (username/password) and using it to connect to PostgreSQL. Java (AWS SDK v2) — retrieve the secret value 
// Java (AWS SDK v2) example: get a secret value from AWS Secrets Manager
import software.amazon.awssdk.regions.Region;
import software.amazon.awssdk.services.secretsmanager.SecretsManagerClient;
import software.amazon.awssdk.services.secretsmanager.model.GetSecretValueRequest;
import software.amazon.awssdk.services.secretsmanager.model.GetSecretValueResponse;
import software.amazon.awssdk.services.secretsmanager.model.SecretsManagerException;

public class SecretsExample {
    public static void getSecret() {
        String secretName = "rds!db-8fcc3794-ab80-4353-86fb-641f99a65793";
        Region region = Region.of("eu-central-1");

        try (SecretsManagerClient client = SecretsManagerClient.builder()
                .region(region)
                .build()) {

            GetSecretValueRequest getSecretValueRequest = GetSecretValueRequest.builder()
                    .secretId(secretName)
                    .build();

            GetSecretValueResponse getSecretValueResponse = client.getSecretValue(getSecretValueRequest);
            String secretString = getSecretValueResponse.secretString();
            System.out.println("Secret: " + secretString);
            // secretString typically contains a JSON with username, password, host, port, dbname
        } catch (SecretsManagerException e) {
            System.err.println("Secrets Manager error: " + e.awsErrorDetails().errorMessage());
            throw e;
        }
    }
}
Python (boto3) — retrieve the secret, parse it, and connect to PostgreSQL 
# Python example: get secret from AWS Secrets Manager and connect to PostgreSQL
import json
import boto3
from botocore.exceptions import ClientError
import psycopg2

def get_secret(secret_name: str, region_name: str) -> dict:
    client = boto3.client("secretsmanager", region_name=region_name)

    try:
        get_secret_value_response = client.get_secret_value(SecretId=secret_name)
    except ClientError as e:
        # For a list of exceptions see:
        # https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_GetSecretValue.html
        raise e

    # SecretString contains the JSON with username/password/host/etc.
    secret_string = get_secret_value_response.get("SecretString")
    if secret_string:
        return json.loads(secret_string)
    else:
        # In some cases the secret may be stored as binary
        secret_binary = get_secret_value_response.get("SecretBinary")
        return json.loads(secret_binary.decode("utf-8"))

def connect_with_secret(secret_info: dict):
    conn = psycopg2.connect(
        host=secret_info.get("host"),
        port=secret_info.get("port", 5432),
        database=secret_info.get("dbname"),
        user=secret_info.get("username"),
        password=secret_info.get("password")
    )
    return conn

if __name__ == "__main__":
    secret_name = "rds!db-8fcc3794-ab80-4353-86fb-641f99a65793"
    region = "eu-central-1"
    secret = get_secret(secret_name, region)
    conn = connect_with_secret(secret)
    print("Connected to DB as", secret.get("username"))
    conn.close()

Rotation behavior and application impact

When rotation is enabled, Secrets Manager updates the stored password and (if rotation is configured correctly) updates RDS with the new password. Your application must use the current credentials from Secrets Manager; otherwise, a rotated password will break connections.
Make sure your application either fetches the secret on each connection, refreshes at a safe cadence, or uses an in-process Secrets Manager cache/library that automatically refreshes. Also ensure IAM policies grant only the minimum required permissions to retrieve the secret and that the application has network access to the RDS endpoint (VPC, subnets, and security groups configured correctly).

What happens to the secret when you delete the RDS instance?

By default, RDS can delete the Secrets Manager secret it created as part of the DB deletion process. This behavior depends on the deletion options you choose and the IAM permissions in your account, so confirm the settings when deleting a DB.
If you need to retain the secret after deleting the DB, explicitly update the secret’s configuration or back it up before deleting the RDS instance — otherwise you may permanently lose the credentials needed for recovery.

Quick checklist

ActionWhy it mattersNotes
Enable Manage master credentials in Secrets ManagerStores and optionally rotates DB master credentialsOnly available for supported engines/versions — check AWS docs
Verify IAM permissionsLimit who can read secrets and update rotationUse least-privilege roles for applications and admins
Configure rotation and rotation roleAutomates password changes and updates RDSTest rotation in a staging environment first
Ensure network accessApplication must reach both Secrets Manager (for API calls) and the RDS endpointVPC endpoints, security groups, and routing matter

Summary

  • Enabling “Manage master credentials in AWS Secrets Manager” at RDS creation stores the DB master credentials in Secrets Manager and can enable automatic rotation.
  • Ensure your application retrieves the current credentials from Secrets Manager (or uses a secure caching mechanism) to handle rotated passwords.
  • Validate IAM permissions and network configuration so your application can retrieve secrets and connect to the RDS instance.
  • Confirm deletion/retention behavior for secrets before deleting databases.
I hope this lesson clarified how to integrate Amazon RDS with AWS Secrets Manager for automated credential management.

Watch Video