I have created a read replica for my production RDS PostgreSQL instance. I planning to use that read-replica to connect redshift federated queries. The documentation suggests creating a secret but when I go to AWS Secret Manager and try to create a new secret the replica instance is not present.
I haven't found anything that suggests that the above is not possible. In fact, having a read-replica for federated queries it is a suggested good practice. Any ideas?
The association between secret manager and RDS is based only on the format of a secret value. The formats available are here.
In console you can do this association only for the primary db instance. But using CLI you can do this as well for read-replicas. It is useful, as read replicas have different endpoint then the primary instance.
For example, for MySql:
aws secretsmanager create-secret \
--name read-replica-secret \
--secret-string file:///tmp/secret.json
where /tmp/secret.json would be:
{
"engine": "mysql",
"host": "<required: read replica instance host name/resolvable DNS name>",
"username": "admin",
"password": "2PLvZK5Gcuht8qefK5O7",
"dbname": "testdb",
"port": "3306"
}
This way, your read-only clients can get full set of credentials from the SM, which includes correct read-endpoint.
But the issue is that you will have two secrets now. One for primary and the other one for reader. Which is a management hustle. It complicates even more if you want to have automatic rotation.