本文為英文版的機器翻譯版本，如內容有任何歧義或不一致之處，概以英文版為準。

# AWS Secrets Manager 秘密的 JSON 結構
<a name="reference_secret_json_structure"></a>

您可以在 Secrets Manager 秘密中存放任何文字或二進位，大小上限為 65，536 個位元組。

如果您使用 [由 Lambda 函式輪換](rotate-secrets_lambda.md)，秘密必須包含輪換函數預期的特定 JSON 欄位。例如，對於包含資料庫登入資料的秘密，輪換函數會連線至資料庫以更新登入資料，因此秘密必須包含資料庫連線資訊。

如果您使用主控台來編輯資料庫秘密的輪換，則秘密必須包含可識別資料庫的特定 JSON 鍵/值對。Secrets Manager 使用這些欄位來查詢資料庫，以尋找要存放輪換函數的正確 VPC。

JSON 金鑰名稱區分大小寫。

**Topics**
+ [Amazon RDS 和 Aurora 登入資料](#reference_secret_json_structure_rds)
+ [Amazon Redshift 登入資料](#reference_secret_json_structure_RS)
+ [Amazon Redshift Serverless 憑證](#reference_secret_json_structure_RSServerless)
+ [Amazon DocumentDB 登入資料](#reference_secret_json_structure_docdb)
+ [InfluxDB 秘密結構的 Amazon Timestream](#reference_secret_json_structure_TIME)
+ [Amazon ElastiCache 登入資料](#reference_secret_json_structure_ELC)
+ [Active Directory 登入資料](#reference_secret_json_structure_AD)

## Amazon RDS 和 Aurora 登入資料
<a name="reference_secret_json_structure_rds"></a>

若要使用 [Secrets Manager 提供的輪換函數範本](reference_available-rotation-templates.md#RDS_rotation_templates)，請使用下列 JSON 結構。您可以新增更多鍵/值對，例如包含其他區域中複本資料庫的連線資訊。

------
#### [ DB2 ]

對於 Amazon RDS Db2 執行個體，因為使用者無法變更自己的密碼，因此必須使用單獨的密碼來提供管理員登入資料。

```
{
  "engine": "db2",
  "host": "{{<instance host name/resolvable DNS name>}}",
  "username": "{{<username>}}",
  "password": "{{<password>}}",
  "dbname": "{{<database name. If not specified, defaults to None>}}",
  "port": {{<TCP port number. If not specified, defaults to 3306>}},
  "masterarn": "{{<ARN of the elevated secret>}}",
  "dbInstanceIdentifier": {{<optional: ID of the instance. Alternately, use dbClusterIdentifier. Required for configuring rotation in the console.>}}",
  "dbClusterIdentifier": {{<optional: ID of the cluster. Alternately, use dbInstanceIdentifier. Required for configuring rotation in the console.>}}"
}
```

------
#### [ MariaDB ]

```
{
  "engine": "mariadb",
  "host": "{{<instance host name/resolvable DNS name>}}",
  "username": "{{<username>}}",
  "password": "{{<password>}}",
  "dbname": "{{<database name. If not specified, defaults to None>}}",
  "port": {{<TCP port number. If not specified, defaults to 3306>}},
  "masterarn": "{{<optional: ARN of the elevated secret. Required for the 輪換策略：交替使用者.>}}",
  "dbInstanceIdentifier": {{<optional: ID of the instance. Alternately, use dbClusterIdentifier. Required for configuring rotation in the console.>}}",
  "dbClusterIdentifier": {{<optional: ID of the cluster. Alternately, use dbInstanceIdentifier. Required for configuring rotation in the console.>}}"
}
```

------
#### [ MySQL ]

```
{
  "engine": "mysql",
  "host": "{{<instance host name/resolvable DNS name>}}",
  "username": "{{<username>}}",
  "password": "{{<password>}}",
  "dbname": "{{<database name. If not specified, defaults to None>}}",
  "port": {{<TCP port number. If not specified, defaults to 3306>}},
  "masterarn": "{{<optional: ARN of the elevated secret. Required for the 輪換策略：交替使用者.>}}",
  "dbInstanceIdentifier": {{<optional: ID of the instance. Alternately, use dbClusterIdentifier. Required for configuring rotation in the console.>}}",
  "dbClusterIdentifier": {{<optional: ID of the cluster. Alternately, use dbInstanceIdentifier. Required for configuring rotation in the console.>}}"
}
```

------
#### [ Oracle ]

```
{
  "engine": "oracle",
  "host": "{{<instance host name/resolvable DNS name>}}",
  "username": "{{<username>}}",
  "password": "{{<password>}}",
  "dbname": "{{<database name>}}",
  "port": {{<TCP port number. If not specified, defaults to 1521>}},
  "masterarn": "{{<optional: ARN of the elevated secret. Required for the 輪換策略：交替使用者.>}}",
  "dbInstanceIdentifier": {{<optional: ID of the instance. Alternately, use dbClusterIdentifier. Required for configuring rotation in the console.>}}",
  "dbClusterIdentifier": {{<optional: ID of the cluster. Alternately, use dbInstanceIdentifier. Required for configuring rotation in the console.>}}"
}
```

------
#### [ Postgres ]

```
{
  "engine": "postgres",
  "host": "{{<instance host name/resolvable DNS name>}}",
  "username": "{{<username>}}",
  "password": "{{<password>}}",
  "dbname": "{{<database name. If not specified, defaults to 'postgres'>}}",
  "port": {{<TCP port number. If not specified, defaults to 5432>}},
  "masterarn": "{{<optional: ARN of the elevated secret. Required for the 輪換策略：交替使用者.>}}",
  "dbInstanceIdentifier": {{<optional: ID of the instance. Alternately, use dbClusterIdentifier. Required for configuring rotation in the console.>}}",
  "dbClusterIdentifier": {{<optional: ID of the cluster. Alternately, use dbInstanceIdentifier. Required for configuring rotation in the console.>}}"
}
```

------
#### [ SQLServer ]

```
{
  "engine": "sqlserver",
  "host": "{{<instance host name/resolvable DNS name>}}",
  "username": "{{<username>}}",
  "password": "{{<password>}}",
  "dbname": "{{<database name. If not specified, defaults to 'master'>}}",
  "port": {{<TCP port number. If not specified, defaults to 1433>}},
  "masterarn": "{{<optional: ARN of the elevated secret. Required for the 輪換策略：交替使用者.>}}",
  "dbInstanceIdentifier": {{<optional: ID of the instance. Alternately, use dbClusterIdentifier. Required for configuring rotation in the console.>}}",
  "dbClusterIdentifier": {{<optional: ID of the cluster.Alternately, use dbInstanceIdentifier.  Required for configuring rotation in the console.>}}"
}
```

------

## Amazon Redshift 登入資料
<a name="reference_secret_json_structure_RS"></a>

若要使用 [Secrets Manager 提供的輪換函數範本](reference_available-rotation-templates.md#template-redshift)，請使用下列 JSON 結構。您可以新增更多鍵/值對，例如包含其他區域中複本資料庫的連線資訊。

```
{
  "engine": "redshift",
  "host": "{{<instance host name/resolvable DNS name>}}",
  "username": "{{<username>}}",
  "password": "{{<password>}}",
  "dbname": "{{<database name. If not specified, defaults to None>}}",
  "dbClusterIdentifier": "{{<optional: database ID. Required for configuring rotation in the console.>}}"
  "port": {{<optional: TCP port number. If not specified, defaults to 5439>}}
  "masterarn": "{{<optional: ARN of the elevated secret. Required for the 輪換策略：交替使用者.>}}"
}
```

## Amazon Redshift Serverless 憑證
<a name="reference_secret_json_structure_RSServerless"></a>

若要使用 [Secrets Manager 提供的輪換函數範本](reference_available-rotation-templates.md#template-redshift)，請使用下列 JSON 結構。您可以新增更多鍵/值對，例如包含其他區域中複本資料庫的連線資訊。

```
{
  "engine": "redshift",
  "host": "{{<instance host name/resolvable DNS name>}}",
  "username": "{{<username>}}",
  "password": "{{<password>}}",
  "dbname": "{{<database name. If not specified, defaults to None>}}",
  "namespaceName": "{{<optional: namespace name, Required for configuring rotation in the console.> }}"
  "port": {{<optional: TCP port number. If not specified, defaults to 5439>}}
  "masterarn": "{{<optional: ARN of the elevated secret. Required for the 輪換策略：交替使用者.>}}"
}
```

## Amazon DocumentDB 登入資料
<a name="reference_secret_json_structure_docdb"></a>

若要使用 [Secrets Manager 提供的輪換函數範本](reference_available-rotation-templates.md#NON-RDS_rotation_templates)，請使用下列 JSON 結構。您可以新增更多鍵/值對，例如包含其他區域中複本資料庫的連線資訊。

```
{
  "engine": "mongo",
  "host": "{{<instance host name/resolvable DNS name>}}",
  "username": "{{<username>}}",
  "password": "{{<password>}}",
  "dbname": "{{<database name. If not specified, defaults to None>}}",
  "port": {{<TCP port number. If not specified, defaults to 27017>}},
  "ssl": {{<true|false. If not specified, defaults to false>}},
  "masterarn": "{{<optional: ARN of the elevated secret. Required for the 輪換策略：交替使用者.>}}",
  "dbClusterIdentifier": "{{<optional: database cluster ID. Alternately, use dbInstanceIdentifier. Required for configuring rotation in the console.>}}"
  "dbInstanceIdentifier": "{{<optional: database instance ID. Alternately, use dbClusterIdentifier. Required for configuring rotation in the console.>}}"
}
```

## InfluxDB 秘密結構的 Amazon Timestream
<a name="reference_secret_json_structure_TIME"></a>

若要輪換 Timestream 秘密，您可以使用[InfluxDB 的 Amazon Timestream](reference_available-rotation-templates.md#template-TimeStream)輪換範本。

如需詳細資訊，請參閱[《Amazon Timestream 開發人員指南》中的 Amazon Timestream for InfluxDB 如何使用秘密](https://docs.aws.amazon.com/timestream/latest/developerguide/timestream-for-influx-security-db-secrets.html)。 **

Timestream 秘密必須位於正確的 JSON 結構，才能使用輪換範本。如需詳細資訊，請參閱[《Amazon Timestream 開發人員指南》中的秘密](https://docs.aws.amazon.com/timestream/latest/developerguide/timestream-for-influx-security-db-secrets.html#timestream-for-influx-security-db-secrets-definition)內容。 **

## Amazon ElastiCache 登入資料
<a name="reference_secret_json_structure_ELC"></a>

下列範例顯示存放 ElastiCache 憑證之秘密的 JSON 結構。

```
{
  "password": "{{<password>}}",
  "username": "{{<username>}}" 
  "user_arn": "{{ARN of the Amazon EC2 user}}"
}
```

如需詳細資訊，請參閱《Amazon ElastiCache 使用者指南》**中的[自動輪換使用者的密碼](https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/User-Secrets-Manager.html)。

## Active Directory 登入資料
<a name="reference_secret_json_structure_AD"></a>

AWS Directory Service 使用秘密來存放 Active Directory 登入資料。如需詳細資訊，請參閱《 *AWS Directory Service 管理指南*》中的[將 Amazon EC2 Linux 執行個體無縫加入 Managed AD Active Directory](https://docs.aws.amazon.com/directoryservice/latest/admin-guide/seamlessly_join_linux_instance.html)。無縫網域聯結需要下列範例中的金鑰名稱。如果您不使用無縫網域聯結，您可以使用環境變數變更秘密中的金鑰名稱，如輪換函數範本程式碼中所述。

若要輪換 Active Directory 秘密，您可以使用 [Active Directory 輪換範本](reference_available-rotation-templates.md#template-AD)。

------
#### [ Active Directory credential ]

```
{
  "awsSeamlessDomainUsername": "{{<username>}}",
  "awsSeamlessDomainPassword": "{{<password>}}"
}
```

如果您想要輪換秘密，請包含網域目錄 ID。

```
{
  "awsSeamlessDomainDirectoryId": "{{d-12345abc6e}}",
  "awsSeamlessDomainUsername": "{{<username>}}",
  "awsSeamlessDomainPassword": "{{<password>}}"
}
```

如果秘密與包含 keytab 的秘密搭配使用，您可以包含 keytab 秘密 ARNs。

```
{
  "awsSeamlessDomainDirectoryId": "{{d-12345abc6e}}",
  "awsSeamlessDomainUsername": "{{<username>}}",
  "awsSeamlessDomainPassword": "{{<password>}}",
  "directoryServiceSecretVersion": {{1}},
  "schemaVersion": "{{1.0}}",
  "keytabArns": [
    "{{<ARN of child keytab secret 1>}},
    "{{<ARN of child keytab secret 2>}},
    "{{<ARN of child keytab secret 3>}},
  ],
  "lastModifiedDateTime": "{{2021-07-19 17:06:58}}"
}
```

------
#### [ Active Directory keytab ]

如需有關使用 keytab 檔案向 Amazon EC2 上的 Active Directory 帳戶進行身分驗證的資訊，請參閱[在 Amazon Linux 2 上使用 SQL Server 2017 部署和設定 Active Directory 身分驗證](https://aws.amazon.com/blogs/database/deploying-and-configuring-active-directory-authentication-with-sql-server-2017-on-amazon-linux-2/)。

```
{
  "awsSeamlessDomainDirectoryId": "{{d-12345abc6e}}",
  "schemaVersion": "{{1.0}}",
  "name": "{{< name>}}",
  "principals": [
    "{{aduser@MY.EXAMPLE.COM}}",
    "{{MSSQLSvc/test:1433@MY.EXAMPLE.COM}}"
  ],
  "keytabContents": "{{<keytab>}}",
  "parentSecretArn": "{{<ARN of parent secret>}}",
  "lastModifiedDateTime": "{{2021-07-19 17:06:58}}"
  "version": {{1}}
}
```

------