# Secrets Manager examples using AWS CLI with Bash script
The following code examples show you how to perform actions and implement common scenarios by using the AWS Command Line Interface with Bash script with Secrets Manager.
*Scenarios* are code examples that show you how to accomplish specific tasks by calling multiple functions within a service or combined with other AWS services.
Each example includes a link to the complete source code, where you can find instructions on how to set up and run the code in context.
**Topics**
+ [Scenarios](#scenarios)
## Scenarios
### Creating an Amazon RDS DB instance
The following code example shows how to:
+ Set up networking components
+ Create a DB subnet group
+ Create a DB instance
+ Clean up resources
**AWS CLI with Bash script**
There's more on GitHub. Find the complete example and learn how to set up and run in the [Sample developer tutorials](https://github.com/aws-samples/sample-developer-tutorials/tree/main/tuts/036-rds-gs) repository.
```
#!/bin/bash
# Script to create an Amazon RDS DB instance
# This script follows the tutorial at https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_CreateDBInstance.html
# Set up logging
LOG_FILE="rds_creation_$(date +%Y%m%d_%H%M%S).log"
exec > >(tee -a "$LOG_FILE") 2>&1
echo "Starting RDS DB instance creation script - $(date)"
echo "All actions will be logged to $LOG_FILE"
echo "=============================================="
# Function to check for errors in command output
check_error() {
local output=$1
local cmd=$2
if echo "$output" | grep -i "error" > /dev/null; then
echo "ERROR: Command failed: $cmd"
echo "$output"
cleanup_on_error
exit 1
fi
}
# Function to clean up resources on error
cleanup_on_error() {
echo "Error encountered. Attempting to clean up resources..."
if [ -n "$DB_INSTANCE_ID" ]; then
echo "Deleting DB instance $DB_INSTANCE_ID..."
aws rds delete-db-instance --db-instance-identifier "$DB_INSTANCE_ID" --skip-final-snapshot
echo "Waiting for DB instance to be deleted..."
aws rds wait db-instance-deleted --db-instance-identifier "$DB_INSTANCE_ID"
fi
if [ -n "$DB_SUBNET_GROUP_NAME" ] && [ "$CREATED_SUBNET_GROUP" = "true" ]; then
echo "Deleting DB subnet group $DB_SUBNET_GROUP_NAME..."
aws rds delete-db-subnet-group --db-subnet-group-name "$DB_SUBNET_GROUP_NAME"
fi
if [ -n "$SECURITY_GROUP_ID" ] && [ "$CREATED_SECURITY_GROUP" = "true" ]; then
echo "Deleting security group $SECURITY_GROUP_ID..."
aws ec2 delete-security-group --group-id "$SECURITY_GROUP_ID"
fi
echo "Cleanup completed."
}
# Generate a random identifier for resources
RANDOM_ID=$(openssl rand -hex 4)
DB_INSTANCE_ID="mydb-${RANDOM_ID}"
DB_SUBNET_GROUP_NAME="mydbsubnet-${RANDOM_ID}"
SECURITY_GROUP_NAME="mydbsg-${RANDOM_ID}"
# Track created resources
CREATED_SECURITY_GROUP="false"
CREATED_SUBNET_GROUP="false"
# Array to store created resources for display
declare -a CREATED_RESOURCES
echo "Step 1: Checking for default VPC..."
VPC_OUTPUT=$(aws ec2 describe-vpcs --filters "Name=isDefault,Values=true")
check_error "$VPC_OUTPUT" "aws ec2 describe-vpcs"
# Extract VPC ID
VPC_ID=$(echo "$VPC_OUTPUT" | grep -o '"VpcId": "[^"]*' | cut -d'"' -f4)
if [ -z "$VPC_ID" ]; then
echo "No default VPC found. Please create a VPC before running this script."
exit 1
fi
echo "Using VPC: $VPC_ID"
echo "Step 2: Getting subnets from the VPC..."
SUBNET_OUTPUT=$(aws ec2 describe-subnets --filters "Name=vpc-id,Values=$VPC_ID")
check_error "$SUBNET_OUTPUT" "aws ec2 describe-subnets"
# Extract subnet IDs (we need at least 2 in different AZs)
SUBNET_IDS=($(echo "$SUBNET_OUTPUT" | grep -o '"SubnetId": "[^"]*' | cut -d'"' -f4))
if [ ${#SUBNET_IDS[@]} -lt 2 ]; then
echo "Error: Need at least 2 subnets in different AZs. Found ${#SUBNET_IDS[@]} subnets."
exit 1
fi
echo "Found ${#SUBNET_IDS[@]} subnets: ${SUBNET_IDS[*]}"
echo "Step 3: Creating security group for RDS..."
SG_OUTPUT=$(aws ec2 create-security-group \
--group-name "$SECURITY_GROUP_NAME" \
--description "Security group for RDS database access" \
--vpc-id "$VPC_ID")
check_error "$SG_OUTPUT" "aws ec2 create-security-group"
SECURITY_GROUP_ID=$(echo "$SG_OUTPUT" | grep -o '"GroupId": "[^"]*' | cut -d'"' -f4)
CREATED_SECURITY_GROUP="true"
CREATED_RESOURCES+=("Security Group: $SECURITY_GROUP_ID ($SECURITY_GROUP_NAME)")
echo "Created security group: $SECURITY_GROUP_ID"
echo "Step 4: Adding inbound rule to security group..."
# Note: In a production environment, you should restrict this to specific IP ranges
# We're using the local machine's IP address for this example
MY_IP=$(curl -s https://checkip.amazonaws.com)
check_error "$MY_IP" "curl -s https://checkip.amazonaws.com"
INGRESS_OUTPUT=$(aws ec2 authorize-security-group-ingress \
--group-id "$SECURITY_GROUP_ID" \
--protocol tcp \
--port 3306 \
--cidr "${MY_IP}/32")
check_error "$INGRESS_OUTPUT" "aws ec2 authorize-security-group-ingress"
echo "Added inbound rule to allow MySQL connections from ${MY_IP}/32"
echo "Step 5: Creating DB subnet group..."
# Select the first two subnets for the DB subnet group
SUBNET1=${SUBNET_IDS[0]}
SUBNET2=${SUBNET_IDS[1]}
SUBNET_GROUP_OUTPUT=$(aws rds create-db-subnet-group \
--db-subnet-group-name "$DB_SUBNET_GROUP_NAME" \
--db-subnet-group-description "Subnet group for RDS tutorial" \
--subnet-ids "$SUBNET1" "$SUBNET2")
check_error "$SUBNET_GROUP_OUTPUT" "aws rds create-db-subnet-group"
CREATED_SUBNET_GROUP="true"
CREATED_RESOURCES+=("DB Subnet Group: $DB_SUBNET_GROUP_NAME")
echo "Created DB subnet group: $DB_SUBNET_GROUP_NAME"
echo "Step 6: Creating a secure password in AWS Secrets Manager..."
SECRET_NAME="rds-db-credentials-${RANDOM_ID}"
SECRET_OUTPUT=$(aws secretsmanager create-secret \
--name "$SECRET_NAME" \
--description "RDS DB credentials for $DB_INSTANCE_ID" \
--secret-string '{"username":"adminuser","password":"'"$(openssl rand -base64 16)"'"}')
check_error "$SECRET_OUTPUT" "aws secretsmanager create-secret"
SECRET_ARN=$(echo "$SECRET_OUTPUT" | grep -o '"ARN": "[^"]*' | cut -d'"' -f4)
CREATED_RESOURCES+=("Secret: $SECRET_ARN ($SECRET_NAME)")
echo "Created secret: $SECRET_NAME"
echo "Step 7: Retrieving the username and password from the secret..."
SECRET_VALUE_OUTPUT=$(aws secretsmanager get-secret-value --secret-id "$SECRET_NAME" --query 'SecretString' --output text)
check_error "$SECRET_VALUE_OUTPUT" "aws secretsmanager get-secret-value"
DB_USERNAME=$(echo "$SECRET_VALUE_OUTPUT" | grep -o '"username":"[^"]*' | cut -d'"' -f4)
DB_PASSWORD=$(echo "$SECRET_VALUE_OUTPUT" | grep -o '"password":"[^"]*' | cut -d'"' -f4)
echo "Retrieved database credentials"
echo "Step 8: Creating RDS DB instance..."
echo "This may take several minutes..."
DB_OUTPUT=$(aws rds create-db-instance \
--db-instance-identifier "$DB_INSTANCE_ID" \
--db-instance-class db.t3.micro \
--engine mysql \
--master-username "$DB_USERNAME" \
--master-user-password "$DB_PASSWORD" \
--allocated-storage 20 \
--vpc-security-group-ids "$SECURITY_GROUP_ID" \
--db-subnet-group-name "$DB_SUBNET_GROUP_NAME" \
--backup-retention-period 7 \
--no-publicly-accessible \
--no-multi-az)
check_error "$DB_OUTPUT" "aws rds create-db-instance"
CREATED_RESOURCES+=("DB Instance: $DB_INSTANCE_ID")
echo "DB instance creation initiated: $DB_INSTANCE_ID"
echo "Waiting for DB instance to become available..."
echo "This may take 5-10 minutes..."
aws rds wait db-instance-available --db-instance-identifier "$DB_INSTANCE_ID"
DB_STATUS=$?
if [ $DB_STATUS -ne 0 ]; then
echo "Error waiting for DB instance to become available"
cleanup_on_error
exit 1
fi
echo "DB instance is now available!"
echo "Step 9: Getting connection information..."
ENDPOINT_INFO=$(aws rds describe-db-instances \
--db-instance-identifier "$DB_INSTANCE_ID" \
--query 'DBInstances[0].[Endpoint.Address,Endpoint.Port,MasterUsername]' \
--output text)
check_error "$ENDPOINT_INFO" "aws rds describe-db-instances"
DB_ENDPOINT=$(echo "$ENDPOINT_INFO" | awk '{print $1}')
DB_PORT=$(echo "$ENDPOINT_INFO" | awk '{print $2}')
DB_USER=$(echo "$ENDPOINT_INFO" | awk '{print $3}')
echo "=============================================="
echo "DB Instance successfully created!"
echo "=============================================="
echo "Connection Information:"
echo " Endpoint: $DB_ENDPOINT"
echo " Port: $DB_PORT"
echo " Username: $DB_USER"
echo " Password: [Stored in AWS Secrets Manager - $SECRET_NAME]"
echo ""
echo "To connect using the mysql client:"
echo "mysql -h $DB_ENDPOINT -P $DB_PORT -u $DB_USER -p"
echo "=============================================="
echo ""
echo "Resources created:"
for resource in "${CREATED_RESOURCES[@]}"; do
echo " - $resource"
done
echo ""
# Ask user if they want to clean up resources
echo ""
echo "==========================================="
echo "CLEANUP CONFIRMATION"
echo "==========================================="
echo "Do you want to clean up all created resources? (y/n): "
read -r CLEANUP_CHOICE
if [[ $CLEANUP_CHOICE =~ ^[Yy] ]]; then
echo "Starting cleanup process..."
echo "Step 1: Deleting DB instance $DB_INSTANCE_ID..."
aws rds delete-db-instance --db-instance-identifier "$DB_INSTANCE_ID" --skip-final-snapshot
echo "Waiting for DB instance to be deleted..."
aws rds wait db-instance-deleted --db-instance-identifier "$DB_INSTANCE_ID"
echo "Step 2: Deleting secret $SECRET_NAME..."
aws secretsmanager delete-secret --secret-id "$SECRET_NAME" --force-delete-without-recovery
echo "Step 3: Deleting DB subnet group $DB_SUBNET_GROUP_NAME..."
aws rds delete-db-subnet-group --db-subnet-group-name "$DB_SUBNET_GROUP_NAME"
echo "Step 4: Deleting security group $SECURITY_GROUP_ID..."
aws ec2 delete-security-group --group-id "$SECURITY_GROUP_ID"
echo "Cleanup completed successfully!"
else
echo "Skipping cleanup. Resources will remain in your AWS account."
echo "To clean up later, you'll need to delete these resources manually."
fi
echo "Script completed successfully!"
```
+ For API details, see the following topics in *AWS CLI Command Reference*.
+ [AuthorizeSecurityGroupIngress](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/AuthorizeSecurityGroupIngress)
+ [CreateDbInstance](https://docs.aws.amazon.com/goto/aws-cli/rds-2014-10-31/CreateDbInstance)
+ [CreateDbSubnetGroup](https://docs.aws.amazon.com/goto/aws-cli/rds-2014-10-31/CreateDbSubnetGroup)
+ [CreateSecret](https://docs.aws.amazon.com/goto/aws-cli/secretsmanager-2017-10-17/CreateSecret)
+ [CreateSecurityGroup](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/CreateSecurityGroup)
+ [DeleteDbInstance](https://docs.aws.amazon.com/goto/aws-cli/rds-2014-10-31/DeleteDbInstance)
+ [DeleteDbSubnetGroup](https://docs.aws.amazon.com/goto/aws-cli/rds-2014-10-31/DeleteDbSubnetGroup)
+ [DeleteSecret](https://docs.aws.amazon.com/goto/aws-cli/secretsmanager-2017-10-17/DeleteSecret)
+ [DeleteSecurityGroup](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/DeleteSecurityGroup)
+ [DescribeDbInstances](https://docs.aws.amazon.com/goto/aws-cli/rds-2014-10-31/DescribeDbInstances)
+ [DescribeSubnets](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/DescribeSubnets)
+ [DescribeVpcs](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/DescribeVpcs)
+ [GetSecretValue](https://docs.aws.amazon.com/goto/aws-cli/secretsmanager-2017-10-17/GetSecretValue)
+ [Wait](https://docs.aws.amazon.com/goto/aws-cli/rds-2014-10-31/Wait)
### Get started with Redshift Serverless
The following code example shows how to:
+ Use secrets-manager CreateSecret
+ Use secrets-manager DeleteSecret
+ Use secrets-manager GetSecretValue
+ Use redshift CreateNamespace
+ Use redshift CreateWorkgroup
+ Use redshift DeleteNamespace
+ Use iam CreateRole
**AWS CLI with Bash script**
There's more on GitHub. Find the complete example and learn how to set up and run in the [Sample developer tutorials](https://github.com/aws-samples/sample-developer-tutorials/tree/main/tuts/038-redshift-serverless) repository.
```
#!/bin/bash
# Amazon Redshift Serverless Tutorial Script with Secrets Manager (No jq dependency)
# This script creates a Redshift Serverless environment, loads sample data, and runs queries
# Uses AWS Secrets Manager for secure password management without requiring jq
# Set up logging
LOG_FILE="redshift-serverless-tutorial-v4.log"
exec > >(tee -a "$LOG_FILE") 2>&1
echo "Starting Amazon Redshift Serverless tutorial script at $(date)"
echo "All commands and outputs will be logged to $LOG_FILE"
# Function to check for errors in command output
check_error() {
local output=$1
local cmd=$2
if echo "$output" | grep -i "error\|exception\|fail" > /dev/null; then
echo "ERROR: Command failed: $cmd"
echo "Output: $output"
cleanup_resources
exit 1
fi
}
# Function to generate a secure password that meets Redshift requirements
generate_secure_password() {
# Redshift password requirements:
# - 8-64 characters
# - At least one uppercase letter
# - At least one lowercase letter
# - At least one decimal digit
# - Can contain printable ASCII characters except /, ", ', \, @, space
local password=""
local valid=false
local attempts=0
local max_attempts=10
while [[ "$valid" == false && $attempts -lt $max_attempts ]]; do
# Generate base password with safe characters
local base=$(openssl rand -base64 12 | tr -d '/+=' | head -c 12)
# Ensure we have at least one of each required character type
local upper=$(echo "ABCDEFGHIJKLMNOPQRSTUVWXYZ" | fold -w1 | shuf -n1)
local lower=$(echo "abcdefghijklmnopqrstuvwxyz" | fold -w1 | shuf -n1)
local digit=$(echo "0123456789" | fold -w1 | shuf -n1)
local special=$(echo "!#$%&*()_+-=[]{}|;:,.<>?" | fold -w1 | shuf -n1)
# Combine and shuffle
password="${base}${upper}${lower}${digit}${special}"
password=$(echo "$password" | fold -w1 | shuf | tr -d '\n')
# Validate password meets requirements
if [[ ${#password} -ge 8 && ${#password} -le 64 ]] && \
[[ "$password" =~ [A-Z] ]] && \
[[ "$password" =~ [a-z] ]] && \
[[ "$password" =~ [0-9] ]] && \
[[ ! "$password" =~ [/\"\'\\@[:space:]] ]]; then
valid=true
fi
((attempts++))
done
if [[ "$valid" == false ]]; then
echo "ERROR: Failed to generate valid password after $max_attempts attempts"
exit 1
fi
echo "$password"
}
# Function to create secret in AWS Secrets Manager
create_secret() {
local secret_name=$1
local username=$2
local password=$3
local description=$4
echo "Creating secret in AWS Secrets Manager: $secret_name"
# Create the secret using AWS CLI without jq
local secret_output=$(aws secretsmanager create-secret \
--name "$secret_name" \
--description "$description" \
--secret-string "{\"username\":\"$username\",\"password\":\"$password\"}" 2>&1)
if echo "$secret_output" | grep -i "error\|exception\|fail" > /dev/null; then
echo "ERROR: Failed to create secret: $secret_output"
return 1
fi
echo "Secret created successfully: $secret_name"
return 0
}
# Function to retrieve password from AWS Secrets Manager
get_password_from_secret() {
local secret_name=$1
# Get the secret value and extract password using sed/grep instead of jq
local secret_value=$(aws secretsmanager get-secret-value \
--secret-id "$secret_name" \
--query 'SecretString' \
--output text 2>/dev/null)
if [[ $? -eq 0 ]]; then
# Extract password from JSON using sed
echo "$secret_value" | sed -n 's/.*"password":"\([^"]*\)".*/\1/p'
else
echo ""
fi
}
# Function to wait for a resource to be available
wait_for_resource() {
local resource_type=$1
local resource_name=$2
local max_attempts=$3
local wait_seconds=$4
local check_cmd=$5
echo "Waiting for $resource_type $resource_name to be available..."
for ((i=1; i<=$max_attempts; i++)); do
local output=$($check_cmd 2>/dev/null)
local status=$(echo "$output" | grep -o '"Status": "[^"]*' | cut -d'"' -f4 || echo "")
if [[ "$status" == "AVAILABLE" ]]; then
echo "$resource_type $resource_name is now available"
return 0
fi
echo "Attempt $i/$max_attempts: $resource_type $resource_name status: $status. Waiting $wait_seconds seconds..."
sleep $wait_seconds
done
echo "ERROR: Timed out waiting for $resource_type $resource_name to be available"
return 1
}
# Function to wait for a resource to be deleted
wait_for_resource_deletion() {
local resource_type=$1
local resource_name=$2
local max_attempts=$3
local wait_seconds=$4
local check_cmd=$5
echo "Waiting for $resource_type $resource_name to be deleted..."
for ((i=1; i<=$max_attempts; i++)); do
local output=$($check_cmd 2>&1)
if echo "$output" | grep -i "not found\|does not exist" > /dev/null; then
echo "$resource_type $resource_name has been deleted"
return 0
fi
echo "Attempt $i/$max_attempts: $resource_type $resource_name is still being deleted. Waiting $wait_seconds seconds..."
sleep $wait_seconds
done
echo "ERROR: Timed out waiting for $resource_type $resource_name to be deleted"
return 1
}
# Function to clean up resources
cleanup_resources() {
echo ""
echo "==========================================="
echo "CLEANUP CONFIRMATION"
echo "==========================================="
echo "The following resources were created:"
echo "- Redshift Serverless Workgroup: $WORKGROUP_NAME"
echo "- Redshift Serverless Namespace: $NAMESPACE_NAME"
echo "- IAM Role: $ROLE_NAME"
echo "- Secrets Manager Secret: $SECRET_NAME"
echo ""
echo "Do you want to clean up all created resources? (y/n): "
read -r CLEANUP_CHOICE
if [[ "${CLEANUP_CHOICE,,}" == "y" ]]; then
echo "Cleaning up resources..."
# Delete the workgroup
echo "Deleting Redshift Serverless workgroup $WORKGROUP_NAME..."
WORKGROUP_DELETE_OUTPUT=$(aws redshift-serverless delete-workgroup --workgroup-name "$WORKGROUP_NAME" 2>&1)
echo "$WORKGROUP_DELETE_OUTPUT"
# Wait for workgroup to be deleted before deleting namespace
wait_for_resource_deletion "workgroup" "$WORKGROUP_NAME" 20 30 "aws redshift-serverless get-workgroup --workgroup-name $WORKGROUP_NAME"
# Delete the namespace
echo "Deleting Redshift Serverless namespace $NAMESPACE_NAME..."
NAMESPACE_DELETE_OUTPUT=$(aws redshift-serverless delete-namespace --namespace-name "$NAMESPACE_NAME" 2>&1)
echo "$NAMESPACE_DELETE_OUTPUT"
# Wait for namespace to be deleted
wait_for_resource_deletion "namespace" "$NAMESPACE_NAME" 20 30 "aws redshift-serverless get-namespace --namespace-name $NAMESPACE_NAME"
# Delete the IAM role policy
echo "Deleting IAM role policy..."
POLICY_DELETE_OUTPUT=$(aws iam delete-role-policy --role-name "$ROLE_NAME" --policy-name S3Access 2>&1)
echo "$POLICY_DELETE_OUTPUT"
# Delete the IAM role
echo "Deleting IAM role $ROLE_NAME..."
ROLE_DELETE_OUTPUT=$(aws iam delete-role --role-name "$ROLE_NAME" 2>&1)
echo "$ROLE_DELETE_OUTPUT"
# Delete the secret
echo "Deleting Secrets Manager secret $SECRET_NAME..."
SECRET_DELETE_OUTPUT=$(aws secretsmanager delete-secret --secret-id "$SECRET_NAME" --force-delete-without-recovery 2>&1)
echo "$SECRET_DELETE_OUTPUT"
echo "Cleanup completed."
else
echo "Cleanup skipped. Resources will remain in your AWS account."
fi
}
# Check if required tools are available
if ! command -v openssl &> /dev/null; then
echo "ERROR: openssl is required but not installed. Please install openssl to continue."
exit 1
fi
# Generate unique names for resources
RANDOM_SUFFIX=$(cat /dev/urandom | tr -dc 'a-z0-9' | head -c 6)
NAMESPACE_NAME="rs-namespace-${RANDOM_SUFFIX}"
WORKGROUP_NAME="rs-workgroup-${RANDOM_SUFFIX}"
ROLE_NAME="RedshiftServerlessS3Role-${RANDOM_SUFFIX}"
SECRET_NAME="redshift-serverless-admin-${RANDOM_SUFFIX}"
DB_NAME="dev"
ADMIN_USERNAME="admin"
# Generate secure password
echo "Generating secure password..."
ADMIN_PASSWORD=$(generate_secure_password)
# Create secret in AWS Secrets Manager
create_secret "$SECRET_NAME" "$ADMIN_USERNAME" "$ADMIN_PASSWORD" "Admin credentials for Redshift Serverless namespace $NAMESPACE_NAME"
if [[ $? -ne 0 ]]; then
echo "ERROR: Failed to create secret in AWS Secrets Manager"
exit 1
fi
# Track created resources
CREATED_RESOURCES=()
echo "Using the following resource names:"
echo "- Namespace: $NAMESPACE_NAME"
echo "- Workgroup: $WORKGROUP_NAME"
echo "- IAM Role: $ROLE_NAME"
echo "- Secret: $SECRET_NAME"
echo "- Database: $DB_NAME"
echo "- Admin Username: $ADMIN_USERNAME"
echo "- Admin Password: [STORED IN SECRETS MANAGER]"
# Step 1: Create IAM role for S3 access
echo "Creating IAM role for Redshift Serverless S3 access..."
# Create trust policy document
cat > redshift-trust-policy.json << EOF
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "redshift-serverless.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
EOF
# Create S3 access policy document
cat > redshift-s3-policy.json << EOF
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::redshift-downloads",
"arn:aws:s3:::redshift-downloads/*"
]
}
]
}
EOF
# Create IAM role
echo "Creating IAM role $ROLE_NAME..."
ROLE_OUTPUT=$(aws iam create-role --role-name "$ROLE_NAME" --assume-role-policy-document file://redshift-trust-policy.json 2>&1)
echo "$ROLE_OUTPUT"
check_error "$ROLE_OUTPUT" "aws iam create-role"
CREATED_RESOURCES+=("IAM Role: $ROLE_NAME")
# Attach S3 policy to the role
echo "Attaching S3 access policy to role $ROLE_NAME..."
POLICY_OUTPUT=$(aws iam put-role-policy --role-name "$ROLE_NAME" --policy-name S3Access --policy-document file://redshift-s3-policy.json 2>&1)
echo "$POLICY_OUTPUT"
check_error "$POLICY_OUTPUT" "aws iam put-role-policy"
# Get the role ARN
ROLE_ARN=$(aws iam get-role --role-name "$ROLE_NAME" --query 'Role.Arn' --output text)
echo "Role ARN: $ROLE_ARN"
# Step 2: Create a namespace
echo "Creating Redshift Serverless namespace $NAMESPACE_NAME..."
NAMESPACE_OUTPUT=$(aws redshift-serverless create-namespace \
--namespace-name "$NAMESPACE_NAME" \
--admin-username "$ADMIN_USERNAME" \
--admin-user-password "$ADMIN_PASSWORD" \
--db-name "$DB_NAME" 2>&1)
echo "$NAMESPACE_OUTPUT"
check_error "$NAMESPACE_OUTPUT" "aws redshift-serverless create-namespace"
CREATED_RESOURCES+=("Redshift Serverless Namespace: $NAMESPACE_NAME")
# Wait for namespace to be available
wait_for_resource "namespace" "$NAMESPACE_NAME" 10 30 "aws redshift-serverless get-namespace --namespace-name $NAMESPACE_NAME"
# Associate IAM role with namespace
echo "Associating IAM role with namespace..."
UPDATE_NAMESPACE_OUTPUT=$(aws redshift-serverless update-namespace \
--namespace-name "$NAMESPACE_NAME" \
--iam-roles "$ROLE_ARN" 2>&1)
echo "$UPDATE_NAMESPACE_OUTPUT"
check_error "$UPDATE_NAMESPACE_OUTPUT" "aws redshift-serverless update-namespace"
# Step 3: Create a workgroup
echo "Creating Redshift Serverless workgroup $WORKGROUP_NAME..."
WORKGROUP_OUTPUT=$(aws redshift-serverless create-workgroup \
--workgroup-name "$WORKGROUP_NAME" \
--namespace-name "$NAMESPACE_NAME" \
--base-capacity 8 2>&1)
echo "$WORKGROUP_OUTPUT"
check_error "$WORKGROUP_OUTPUT" "aws redshift-serverless create-workgroup"
CREATED_RESOURCES+=("Redshift Serverless Workgroup: $WORKGROUP_NAME")
# Wait for workgroup to be available
wait_for_resource "workgroup" "$WORKGROUP_NAME" 20 30 "aws redshift-serverless get-workgroup --workgroup-name $WORKGROUP_NAME"
# Get workgroup endpoint
WORKGROUP_ENDPOINT=$(aws redshift-serverless get-workgroup \
--workgroup-name "$WORKGROUP_NAME" \
--query 'workgroup.endpoint.address' \
--output text)
echo "Workgroup endpoint: $WORKGROUP_ENDPOINT"
# Wait additional time for the endpoint to be fully operational
echo "Waiting for endpoint to be fully operational..."
sleep 60
# Step 4: Create tables for sample data
echo "Creating tables for sample data..."
# Create users table
echo "Creating users table..."
USERS_TABLE_OUTPUT=$(aws redshift-data execute-statement \
--database "$DB_NAME" \
--workgroup-name "$WORKGROUP_NAME" \
--sql "CREATE TABLE users(
userid INTEGER NOT NULL DISTKEY SORTKEY,
username CHAR(8),
firstname VARCHAR(30),
lastname VARCHAR(30),
city VARCHAR(30),
state CHAR(2),
email VARCHAR(100),
phone CHAR(14),
likesports BOOLEAN,
liketheatre BOOLEAN,
likeconcerts BOOLEAN,
likejazz BOOLEAN,
likeclassical BOOLEAN,
likeopera BOOLEAN,
likerock BOOLEAN,
likevegas BOOLEAN,
likebroadway BOOLEAN,
likemusicals BOOLEAN
);" 2>&1)
echo "$USERS_TABLE_OUTPUT"
check_error "$USERS_TABLE_OUTPUT" "aws redshift-data execute-statement (users table)"
USERS_QUERY_ID=$(echo "$USERS_TABLE_OUTPUT" | grep -o '"Id": "[^"]*' | cut -d'"' -f4)
# Wait for query to complete
echo "Waiting for users table creation to complete..."
sleep 5
# Create event table
echo "Creating event table..."
EVENT_TABLE_OUTPUT=$(aws redshift-data execute-statement \
--database "$DB_NAME" \
--workgroup-name "$WORKGROUP_NAME" \
--sql "CREATE TABLE event(
eventid INTEGER NOT NULL DISTKEY,
venueid SMALLINT NOT NULL,
catid SMALLINT NOT NULL,
dateid SMALLINT NOT NULL SORTKEY,
eventname VARCHAR(200),
starttime TIMESTAMP
);" 2>&1)
echo "$EVENT_TABLE_OUTPUT"
check_error "$EVENT_TABLE_OUTPUT" "aws redshift-data execute-statement (event table)"
EVENT_QUERY_ID=$(echo "$EVENT_TABLE_OUTPUT" | grep -o '"Id": "[^"]*' | cut -d'"' -f4)
# Wait for query to complete
echo "Waiting for event table creation to complete..."
sleep 5
# Create sales table
echo "Creating sales table..."
SALES_TABLE_OUTPUT=$(aws redshift-data execute-statement \
--database "$DB_NAME" \
--workgroup-name "$WORKGROUP_NAME" \
--sql "CREATE TABLE sales(
salesid INTEGER NOT NULL,
listid INTEGER NOT NULL DISTKEY,
sellerid INTEGER NOT NULL,
buyerid INTEGER NOT NULL,
eventid INTEGER NOT NULL,
dateid SMALLINT NOT NULL SORTKEY,
qtysold SMALLINT NOT NULL,
pricepaid DECIMAL(8,2),
commission DECIMAL(8,2),
saletime TIMESTAMP
);" 2>&1)
echo "$SALES_TABLE_OUTPUT"
check_error "$SALES_TABLE_OUTPUT" "aws redshift-data execute-statement (sales table)"
SALES_QUERY_ID=$(echo "$SALES_TABLE_OUTPUT" | grep -o '"Id": "[^"]*' | cut -d'"' -f4)
# Wait for tables to be created
echo "Waiting for tables to be created..."
sleep 10
# Step 5: Load sample data from Amazon S3
echo "Loading sample data from Amazon S3..."
# Load data into users table
echo "Loading data into users table..."
USERS_LOAD_OUTPUT=$(aws redshift-data execute-statement \
--database "$DB_NAME" \
--workgroup-name "$WORKGROUP_NAME" \
--sql "COPY users
FROM 's3://redshift-downloads/tickit/allusers_pipe.txt'
DELIMITER '|'
TIMEFORMAT 'YYYY-MM-DD HH:MI:SS'
IGNOREHEADER 1
IAM_ROLE '$ROLE_ARN';" 2>&1)
echo "$USERS_LOAD_OUTPUT"
check_error "$USERS_LOAD_OUTPUT" "aws redshift-data execute-statement (load users)"
USERS_LOAD_QUERY_ID=$(echo "$USERS_LOAD_OUTPUT" | grep -o '"Id": "[^"]*' | cut -d'"' -f4)
# Wait for data loading to complete
echo "Waiting for users data loading to complete..."
sleep 10
# Load data into event table
echo "Loading data into event table..."
EVENT_LOAD_OUTPUT=$(aws redshift-data execute-statement \
--database "$DB_NAME" \
--workgroup-name "$WORKGROUP_NAME" \
--sql "COPY event
FROM 's3://redshift-downloads/tickit/allevents_pipe.txt'
DELIMITER '|'
TIMEFORMAT 'YYYY-MM-DD HH:MI:SS'
IGNOREHEADER 1
IAM_ROLE '$ROLE_ARN';" 2>&1)
echo "$EVENT_LOAD_OUTPUT"
check_error "$EVENT_LOAD_OUTPUT" "aws redshift-data execute-statement (load event)"
EVENT_LOAD_QUERY_ID=$(echo "$EVENT_LOAD_OUTPUT" | grep -o '"Id": "[^"]*' | cut -d'"' -f4)
# Wait for data loading to complete
echo "Waiting for event data loading to complete..."
sleep 10
# Load data into sales table
echo "Loading data into sales table..."
SALES_LOAD_OUTPUT=$(aws redshift-data execute-statement \
--database "$DB_NAME" \
--workgroup-name "$WORKGROUP_NAME" \
--sql "COPY sales
FROM 's3://redshift-downloads/tickit/sales_tab.txt'
DELIMITER '\t'
TIMEFORMAT 'MM/DD/YYYY HH:MI:SS'
IGNOREHEADER 1
IAM_ROLE '$ROLE_ARN';" 2>&1)
echo "$SALES_LOAD_OUTPUT"
check_error "$SALES_LOAD_OUTPUT" "aws redshift-data execute-statement (load sales)"
SALES_LOAD_QUERY_ID=$(echo "$SALES_LOAD_OUTPUT" | grep -o '"Id": "[^"]*' | cut -d'"' -f4)
# Wait for data loading to complete
echo "Waiting for sales data loading to complete..."
sleep 30
# Step 6: Run sample queries
echo "Running sample queries..."
# Query 1: Find top 10 buyers by quantity
echo "Running query: Find top 10 buyers by quantity..."
QUERY1_OUTPUT=$(aws redshift-data execute-statement \
--database "$DB_NAME" \
--workgroup-name "$WORKGROUP_NAME" \
--sql "SELECT firstname, lastname, total_quantity
FROM (SELECT buyerid, sum(qtysold) total_quantity
FROM sales
GROUP BY buyerid
ORDER BY total_quantity desc limit 10) Q, users
WHERE Q.buyerid = userid
ORDER BY Q.total_quantity desc;" 2>&1)
echo "$QUERY1_OUTPUT"
check_error "$QUERY1_OUTPUT" "aws redshift-data execute-statement (query 1)"
QUERY1_ID=$(echo "$QUERY1_OUTPUT" | grep -o '"Id": "[^"]*' | cut -d'"' -f4)
# Wait for query to complete
echo "Waiting for query 1 to complete..."
sleep 10
# Get query 1 results
echo "Getting results for query 1..."
QUERY1_STATUS_OUTPUT=$(aws redshift-data describe-statement --id "$QUERY1_ID" 2>&1)
echo "$QUERY1_STATUS_OUTPUT"
check_error "$QUERY1_STATUS_OUTPUT" "aws redshift-data describe-statement (query 1)"
QUERY1_STATUS=$(echo "$QUERY1_STATUS_OUTPUT" | grep -o '"Status": "[^"]*' | cut -d'"' -f4)
if [ "$QUERY1_STATUS" == "FINISHED" ]; then
QUERY1_RESULTS=$(aws redshift-data get-statement-result --id "$QUERY1_ID" 2>&1)
echo "Query 1 Results:"
echo "$QUERY1_RESULTS"
else
echo "Query 1 is not yet complete. Status: $QUERY1_STATUS"
echo "Waiting additional time for query to complete..."
sleep 20
# Check again
QUERY1_STATUS_OUTPUT=$(aws redshift-data describe-statement --id "$QUERY1_ID" 2>&1)
QUERY1_STATUS=$(echo "$QUERY1_STATUS_OUTPUT" | grep -o '"Status": "[^"]*' | cut -d'"' -f4)
if [ "$QUERY1_STATUS" == "FINISHED" ]; then
QUERY1_RESULTS=$(aws redshift-data get-statement-result --id "$QUERY1_ID" 2>&1)
echo "Query 1 Results:"
echo "$QUERY1_RESULTS"
else
echo "Query 1 is still not complete. Status: $QUERY1_STATUS"
fi
fi
# Query 2: Find events in the 99.9 percentile in terms of all time total sales
echo "Running query: Find events in the 99.9 percentile in terms of all time total sales..."
QUERY2_OUTPUT=$(aws redshift-data execute-statement \
--database "$DB_NAME" \
--workgroup-name "$WORKGROUP_NAME" \
--sql "SELECT eventname, total_price
FROM (SELECT eventid, total_price, ntile(1000) over(order by total_price desc) as percentile
FROM (SELECT eventid, sum(pricepaid) total_price
FROM sales
GROUP BY eventid)) Q, event E
WHERE Q.eventid = E.eventid
AND percentile = 1
ORDER BY total_price desc;" 2>&1)
echo "$QUERY2_OUTPUT"
check_error "$QUERY2_OUTPUT" "aws redshift-data execute-statement (query 2)"
QUERY2_ID=$(echo "$QUERY2_OUTPUT" | grep -o '"Id": "[^"]*' | cut -d'"' -f4)
# Wait for query to complete
echo "Waiting for query 2 to complete..."
sleep 10
# Get query 2 results
echo "Getting results for query 2..."
QUERY2_STATUS_OUTPUT=$(aws redshift-data describe-statement --id "$QUERY2_ID" 2>&1)
echo "$QUERY2_STATUS_OUTPUT"
check_error "$QUERY2_STATUS_OUTPUT" "aws redshift-data describe-statement (query 2)"
QUERY2_STATUS=$(echo "$QUERY2_STATUS_OUTPUT" | grep -o '"Status": "[^"]*' | cut -d'"' -f4)
if [ "$QUERY2_STATUS" == "FINISHED" ]; then
QUERY2_RESULTS=$(aws redshift-data get-statement-result --id "$QUERY2_ID" 2>&1)
echo "Query 2 Results:"
echo "$QUERY2_RESULTS"
else
echo "Query 2 is not yet complete. Status: $QUERY2_STATUS"
echo "Waiting additional time for query to complete..."
sleep 20
# Check again
QUERY2_STATUS_OUTPUT=$(aws redshift-data describe-statement --id "$QUERY2_ID" 2>&1)
QUERY2_STATUS=$(echo "$QUERY2_STATUS_OUTPUT" | grep -o '"Status": "[^"]*' | cut -d'"' -f4)
if [ "$QUERY2_STATUS" == "FINISHED" ]; then
QUERY2_RESULTS=$(aws redshift-data get-statement-result --id "$QUERY2_ID" 2>&1)
echo "Query 2 Results:"
echo "$QUERY2_RESULTS"
else
echo "Query 2 is still not complete. Status: $QUERY2_STATUS"
fi
fi
# Summary
echo ""
echo "==========================================="
echo "TUTORIAL SUMMARY"
echo "==========================================="
echo "You have successfully:"
echo "1. Created a Redshift Serverless namespace and workgroup"
echo "2. Created an IAM role with S3 access permissions"
echo "3. Stored admin credentials securely in AWS Secrets Manager"
echo "4. Created tables for sample data"
echo "5. Loaded sample data from Amazon S3"
echo "6. Run sample queries on the data"
echo ""
echo "Redshift Serverless Resources:"
echo "- Namespace: $NAMESPACE_NAME"
echo "- Workgroup: $WORKGROUP_NAME"
echo "- Database: $DB_NAME"
echo "- Endpoint: $WORKGROUP_ENDPOINT"
echo "- Credentials Secret: $SECRET_NAME"
echo ""
echo "To connect to your Redshift Serverless database using SQL tools:"
echo "- Host: $WORKGROUP_ENDPOINT"
echo "- Database: $DB_NAME"
echo "- Username: $ADMIN_USERNAME"
echo "- Password: Retrieve from AWS Secrets Manager secret '$SECRET_NAME'"
echo ""
echo "To retrieve the password from Secrets Manager (without jq):"
echo "aws secretsmanager get-secret-value --secret-id $SECRET_NAME --query 'SecretString' --output text | sed -n 's/.*\"password\":\"\([^\"]*\)\".*/\1/p'"
echo ""
# Clean up temporary files
rm -f redshift-trust-policy.json redshift-s3-policy.json
# Clean up resources
cleanup_resources
echo "Tutorial completed at $(date)"
```
+ For API details, see the following topics in *AWS CLI Command Reference*.
+ [CreateNamespace](https://docs.aws.amazon.com/goto/aws-cli/redshift-2012-12-01/CreateNamespace)
+ [CreateRole](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/CreateRole)
+ [CreateSecret](https://docs.aws.amazon.com/goto/aws-cli/secretsmanager-2017-10-17/CreateSecret)
+ [CreateWorkgroup](https://docs.aws.amazon.com/goto/aws-cli/redshift-2012-12-01/CreateWorkgroup)
+ [DeleteNamespace](https://docs.aws.amazon.com/goto/aws-cli/redshift-2012-12-01/DeleteNamespace)
+ [DeleteRole](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/DeleteRole)
+ [DeleteRolePolicy](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/DeleteRolePolicy)
+ [DeleteSecret](https://docs.aws.amazon.com/goto/aws-cli/secretsmanager-2017-10-17/DeleteSecret)
+ [DeleteWorkgroup](https://docs.aws.amazon.com/goto/aws-cli/redshift-2012-12-01/DeleteWorkgroup)
+ [GetNamespace](https://docs.aws.amazon.com/goto/aws-cli/redshift-2012-12-01/GetNamespace)
+ [GetRole](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/GetRole)
+ [GetSecretValue](https://docs.aws.amazon.com/goto/aws-cli/secretsmanager-2017-10-17/GetSecretValue)
+ [GetWorkgroup](https://docs.aws.amazon.com/goto/aws-cli/redshift-2012-12-01/GetWorkgroup)
+ [PutRolePolicy](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/PutRolePolicy)
+ [UpdateNamespace](https://docs.aws.amazon.com/goto/aws-cli/redshift-2012-12-01/UpdateNamespace)
### Getting started with Amazon DocumentDB
The following code example shows how to:
+ Create a DB subnet group
+ Create a DocumentDB cluster
+ Create a DocumentDB instance
+ Configure security and connectivity
+ Clean up resources
**AWS CLI with Bash script**
There's more on GitHub. Find the complete example and learn how to set up and run in the [Sample developer tutorials](https://github.com/aws-samples/sample-developer-tutorials/tree/main/tuts/025-documentdb-gs) repository.
```
#!/bin/bash
# Amazon DocumentDB - Getting Started
# This script creates a DocumentDB cluster with encrypted storage, stores the
# master password in Secrets Manager, and displays connection information.
set -eE
###############################################################################
# Configuration
###############################################################################
SUFFIX=$(cat /dev/urandom | tr -dc 'a-z0-9' | fold -w 8 | head -n 1)
CLUSTER_ID="docdb-gs-${SUFFIX}"
INSTANCE_ID="${CLUSTER_ID}-inst"
SUBNET_GROUP_NAME="docdb-subnet-${SUFFIX}"
SECRET_NAME="docdb-secret-${SUFFIX}"
MASTER_USER="docdbadmin"
ENGINE_VERSION="5.0.0"
INSTANCE_CLASS="db.t3.medium"
DOCDB_PORT=27017
WAIT_TIMEOUT=900
TEMP_DIR=$(mktemp -d)
LOG_FILE="${TEMP_DIR}/documentdb-gs.log"
CREATED_RESOURCES=()
###############################################################################
# Logging
###############################################################################
exec > >(tee -a "$LOG_FILE") 2>&1
echo "Log file: $LOG_FILE"
echo ""
###############################################################################
# Region pre-check
###############################################################################
CONFIGURED_REGION=$(aws configure get region 2>/dev/null || true)
if [ -z "$CONFIGURED_REGION" ] && [ -z "$AWS_DEFAULT_REGION" ] && [ -z "$AWS_REGION" ]; then
echo "ERROR: No AWS region configured."
echo "Run 'aws configure set region ' or export AWS_DEFAULT_REGION."
exit 1
fi
REGION="${AWS_REGION:-${AWS_DEFAULT_REGION:-$CONFIGURED_REGION}}"
echo "Using region: $REGION"
echo ""
###############################################################################
# Error handler
###############################################################################
handle_error() {
echo ""
echo "==========================================="
echo "ERROR at $1"
echo "==========================================="
echo ""
if [ ${#CREATED_RESOURCES[@]} -gt 0 ]; then
echo "Resources created before error:"
for r in "${CREATED_RESOURCES[@]}"; do
echo " - $r"
done
echo ""
echo "Attempting cleanup..."
cleanup_resources
fi
rm -rf "$TEMP_DIR"
exit 1
}
trap 'handle_error "line $LINENO"' ERR
###############################################################################
# Wait function
###############################################################################
wait_for_status() {
local resource_type="$1"
local resource_id="$2"
local target_status="$3"
local timeout="${4:-$WAIT_TIMEOUT}"
local elapsed=0
local interval=30
echo "Waiting for $resource_type '$resource_id' to reach '$target_status'..."
while true; do
local current_status=""
if [ "$resource_type" = "cluster" ]; then
current_status=$(aws docdb describe-db-clusters \
--db-cluster-identifier "$resource_id" \
--query "DBClusters[0].Status" --output text 2>&1)
elif [ "$resource_type" = "instance" ]; then
current_status=$(aws docdb describe-db-instances \
--db-instance-identifier "$resource_id" \
--query "DBInstances[0].DBInstanceStatus" --output text 2>&1)
fi
if echo "$current_status" | grep -iq "error"; then
echo "ERROR checking status: $current_status"
return 1
fi
echo " Status: $current_status ($elapsed/${timeout}s)"
if [ "$current_status" = "$target_status" ]; then
echo " $resource_type '$resource_id' is now '$target_status'."
return 0
fi
if [ "$elapsed" -ge "$timeout" ]; then
echo "ERROR: Timed out after ${timeout}s waiting for $resource_type '$resource_id'."
return 1
fi
sleep "$interval"
elapsed=$((elapsed + interval))
done
}
###############################################################################
# Wait for deletion
###############################################################################
wait_for_deletion() {
local resource_type="$1"
local resource_id="$2"
local timeout="${3:-$WAIT_TIMEOUT}"
local elapsed=0
local interval=30
echo "Waiting for $resource_type '$resource_id' to be deleted..."
while true; do
local result=""
if [ "$resource_type" = "cluster" ]; then
result=$(aws docdb describe-db-clusters \
--db-cluster-identifier "$resource_id" \
--query "DBClusters[0].Status" --output text 2>&1) || true
elif [ "$resource_type" = "instance" ]; then
result=$(aws docdb describe-db-instances \
--db-instance-identifier "$resource_id" \
--query "DBInstances[0].DBInstanceStatus" --output text 2>&1) || true
fi
if echo "$result" | grep -iq "DBClusterNotFoundFault\|DBInstanceNotFound\|not found"; then
echo " $resource_type '$resource_id' deleted."
return 0
fi
echo " Still deleting... ($elapsed/${timeout}s)"
if [ "$elapsed" -ge "$timeout" ]; then
echo "WARNING: Timed out waiting for $resource_type '$resource_id' deletion."
return 1
fi
sleep "$interval"
elapsed=$((elapsed + interval))
done
}
###############################################################################
# Cleanup
###############################################################################
cleanup_resources() {
echo ""
echo "Cleaning up resources..."
echo ""
# Revoke security group ingress rule
if [ -n "${SG_ID:-}" ] && [ -n "${MY_IP:-}" ]; then
echo "Revoking security group ingress rule..."
aws ec2 revoke-security-group-ingress \
--group-id "$SG_ID" \
--protocol tcp \
--port "$DOCDB_PORT" \
--cidr "${MY_IP}/32" 2>&1 || echo "WARNING: Failed to revoke SG ingress rule."
fi
# Delete instance (must be deleted before cluster)
if printf '%s\n' "${CREATED_RESOURCES[@]}" | grep -q "instance:"; then
echo "Deleting instance '${INSTANCE_ID}'..."
aws docdb delete-db-instance \
--db-instance-identifier "$INSTANCE_ID" 2>&1 || echo "WARNING: Failed to delete instance."
wait_for_deletion "instance" "$INSTANCE_ID" || true
fi
# Delete cluster (skip final snapshot)
if printf '%s\n' "${CREATED_RESOURCES[@]}" | grep -q "cluster:"; then
echo "Deleting cluster '${CLUSTER_ID}'..."
aws docdb delete-db-cluster \
--db-cluster-identifier "$CLUSTER_ID" \
--skip-final-snapshot 2>&1 || echo "WARNING: Failed to delete cluster."
wait_for_deletion "cluster" "$CLUSTER_ID" || true
fi
# Delete subnet group (must wait for cluster deletion)
if printf '%s\n' "${CREATED_RESOURCES[@]}" | grep -q "subnet-group:"; then
echo "Deleting subnet group '${SUBNET_GROUP_NAME}'..."
aws docdb delete-db-subnet-group \
--db-subnet-group-name "$SUBNET_GROUP_NAME" 2>&1 || echo "WARNING: Failed to delete subnet group."
fi
# Delete secret
if printf '%s\n' "${CREATED_RESOURCES[@]}" | grep -q "secret:"; then
echo "Deleting secret '${SECRET_NAME}'..."
aws secretsmanager delete-secret \
--secret-id "$SECRET_NAME" \
--force-delete-without-recovery 2>&1 || echo "WARNING: Failed to delete secret."
fi
echo ""
echo "Cleanup complete."
}
###############################################################################
# Step 1: Generate password and store in Secrets Manager
###############################################################################
echo "==========================================="
echo "Step 1: Create master password in Secrets Manager"
echo "==========================================="
echo ""
# Generate a safe password (no / @ " or spaces)
MASTER_PASSWORD=$(cat /dev/urandom | tr -dc 'A-Za-z0-9!#$%^&*()_+=-' | fold -w 20 | head -n 1)
SECRET_OUTPUT=$(aws secretsmanager create-secret \
--name "$SECRET_NAME" \
--description "DocumentDB master password for ${CLUSTER_ID}" \
--secret-string "$MASTER_PASSWORD" \
--output text --query "ARN" 2>&1)
if echo "$SECRET_OUTPUT" | grep -iq "error"; then
echo "ERROR creating secret: $SECRET_OUTPUT"
exit 1
fi
SECRET_ARN="$SECRET_OUTPUT"
CREATED_RESOURCES+=("secret:${SECRET_NAME}")
echo "Secret created: $SECRET_NAME"
echo "Secret ARN: $SECRET_ARN"
echo ""
###############################################################################
# Step 2: Find default VPC and subnets
###############################################################################
echo "==========================================="
echo "Step 2: Find default VPC and subnets"
echo "==========================================="
echo ""
VPC_ID=$(aws ec2 describe-vpcs \
--filters "Name=isDefault,Values=true" \
--query "Vpcs[0].VpcId" --output text 2>&1)
if echo "$VPC_ID" | grep -iq "error"; then
echo "ERROR finding default VPC: $VPC_ID"
exit 1
fi
if [ "$VPC_ID" = "None" ] || [ -z "$VPC_ID" ]; then
echo "ERROR: No default VPC found. Create one with 'aws ec2 create-default-vpc'."
exit 1
fi
echo "Default VPC: $VPC_ID"
# Get subnets in at least 2 different AZs (space-separated)
SUBNET_INFO=$(aws ec2 describe-subnets \
--filters "Name=vpc-id,Values=${VPC_ID}" "Name=default-for-az,Values=true" \
--query "Subnets[*].[SubnetId,AvailabilityZone]" --output text 2>&1)
if echo "$SUBNET_INFO" | grep -iq "error"; then
echo "ERROR finding subnets: $SUBNET_INFO"
exit 1
fi
# Collect unique AZs and their subnet IDs
declare -A AZ_SUBNETS
while IFS=$'\t' read -r sid az; do
if [ -z "${AZ_SUBNETS[$az]+x}" ]; then
AZ_SUBNETS[$az]="$sid"
fi
done <<< "$SUBNET_INFO"
AZ_COUNT=${#AZ_SUBNETS[@]}
if [ "$AZ_COUNT" -lt 2 ]; then
echo "ERROR: DocumentDB requires subnets in at least 2 AZs. Found $AZ_COUNT."
exit 1
fi
# Build space-separated subnet ID list
SUBNET_IDS=""
for az in "${!AZ_SUBNETS[@]}"; do
if [ -n "$SUBNET_IDS" ]; then
SUBNET_IDS="${SUBNET_IDS} ${AZ_SUBNETS[$az]}"
else
SUBNET_IDS="${AZ_SUBNETS[$az]}"
fi
done
echo "Subnets (${AZ_COUNT} AZs): $SUBNET_IDS"
echo ""
###############################################################################
# Step 3: Create subnet group
###############################################################################
echo "==========================================="
echo "Step 3: Create DocumentDB subnet group"
echo "==========================================="
echo ""
SUBNET_GROUP_OUTPUT=$(aws docdb create-db-subnet-group \
--db-subnet-group-name "$SUBNET_GROUP_NAME" \
--db-subnet-group-description "Subnet group for DocumentDB getting started" \
--subnet-ids $SUBNET_IDS \
--query "DBSubnetGroup.DBSubnetGroupName" --output text 2>&1)
if echo "$SUBNET_GROUP_OUTPUT" | grep -iq "error"; then
echo "ERROR creating subnet group: $SUBNET_GROUP_OUTPUT"
exit 1
fi
CREATED_RESOURCES+=("subnet-group:${SUBNET_GROUP_NAME}")
echo "Subnet group created: $SUBNET_GROUP_NAME"
echo ""
###############################################################################
# Step 4: Create DocumentDB cluster
###############################################################################
echo "==========================================="
echo "Step 4: Create DocumentDB cluster"
echo "==========================================="
echo ""
CLUSTER_OUTPUT=$(aws docdb create-db-cluster \
--db-cluster-identifier "$CLUSTER_ID" \
--engine docdb \
--engine-version "$ENGINE_VERSION" \
--master-username "$MASTER_USER" \
--master-user-password "$MASTER_PASSWORD" \
--db-subnet-group-name "$SUBNET_GROUP_NAME" \
--storage-encrypted \
--no-deletion-protection \
--query "DBCluster.DBClusterIdentifier" --output text 2>&1)
if echo "$CLUSTER_OUTPUT" | grep -iq "error"; then
echo "ERROR creating cluster: $CLUSTER_OUTPUT"
exit 1
fi
CREATED_RESOURCES+=("cluster:${CLUSTER_ID}")
echo "Cluster created: $CLUSTER_ID"
echo ""
wait_for_status "cluster" "$CLUSTER_ID" "available"
echo ""
###############################################################################
# Step 5: Create DocumentDB instance
###############################################################################
echo "==========================================="
echo "Step 5: Create DocumentDB instance"
echo "==========================================="
echo ""
INSTANCE_OUTPUT=$(aws docdb create-db-instance \
--db-instance-identifier "$INSTANCE_ID" \
--db-instance-class "$INSTANCE_CLASS" \
--db-cluster-identifier "$CLUSTER_ID" \
--engine docdb \
--query "DBInstance.DBInstanceIdentifier" --output text 2>&1)
if echo "$INSTANCE_OUTPUT" | grep -iq "error"; then
echo "ERROR creating instance: $INSTANCE_OUTPUT"
exit 1
fi
CREATED_RESOURCES+=("instance:${INSTANCE_ID}")
echo "Instance created: $INSTANCE_ID"
echo ""
wait_for_status "instance" "$INSTANCE_ID" "available"
echo ""
###############################################################################
# Step 6: Get cluster endpoint and security group
###############################################################################
echo "==========================================="
echo "Step 6: Get cluster endpoint and security group"
echo "==========================================="
echo ""
CLUSTER_DETAILS=$(aws docdb describe-db-clusters \
--db-cluster-identifier "$CLUSTER_ID" \
--query "DBClusters[0].[Endpoint,VpcSecurityGroups[0].VpcSecurityGroupId]" \
--output text 2>&1)
if echo "$CLUSTER_DETAILS" | grep -iq "error"; then
echo "ERROR getting cluster details: $CLUSTER_DETAILS"
exit 1
fi
CLUSTER_ENDPOINT=$(echo "$CLUSTER_DETAILS" | awk '{print $1}')
SG_ID=$(echo "$CLUSTER_DETAILS" | awk '{print $2}')
echo "Cluster endpoint: $CLUSTER_ENDPOINT"
echo "Security group: $SG_ID"
echo ""
###############################################################################
# Step 7: Add security group ingress for port 27017 from user's IP
###############################################################################
echo "==========================================="
echo "Step 7: Add security group ingress rule"
echo "==========================================="
echo ""
# Get the user's public IP
MY_IP=$(curl -s https://checkip.amazonaws.com 2>&1)
if echo "$MY_IP" | grep -iq "error\|could not\|failed"; then
echo "ERROR: Could not determine public IP address."
exit 1
fi
# Trim whitespace
MY_IP=$(echo "$MY_IP" | tr -d '[:space:]')
echo "Your public IP: $MY_IP"
SG_RULE_OUTPUT=$(aws ec2 authorize-security-group-ingress \
--group-id "$SG_ID" \
--protocol tcp \
--port "$DOCDB_PORT" \
--cidr "${MY_IP}/32" 2>&1)
if echo "$SG_RULE_OUTPUT" | grep -iq "error"; then
# Ignore if rule already exists
if echo "$SG_RULE_OUTPUT" | grep -iq "Duplicate"; then
echo "Ingress rule already exists."
else
echo "ERROR adding ingress rule: $SG_RULE_OUTPUT"
exit 1
fi
else
echo "Ingress rule added: TCP ${DOCDB_PORT} from ${MY_IP}/32"
fi
CREATED_RESOURCES+=("sg-rule:${SG_ID}:${MY_IP}")
echo ""
###############################################################################
# Step 8: Download CA certificate
###############################################################################
echo "==========================================="
echo "Step 8: Download Amazon DocumentDB CA certificate"
echo "==========================================="
echo ""
CA_CERT_PATH="${TEMP_DIR}/global-bundle.pem"
curl -s -o "$CA_CERT_PATH" https://truststore.pki.rds.amazonaws.com/global/global-bundle.pem 2>&1
if [ ! -s "$CA_CERT_PATH" ]; then
echo "WARNING: Failed to download CA certificate."
else
echo "CA certificate downloaded to: $CA_CERT_PATH"
fi
echo ""
###############################################################################
# Step 9: Display connection information
###############################################################################
echo "==========================================="
echo "CONNECTION INFORMATION"
echo "==========================================="
echo ""
echo "Cluster endpoint : $CLUSTER_ENDPOINT"
echo "Port : $DOCDB_PORT"
echo "Master username : $MASTER_USER"
echo "Secret name : $SECRET_NAME (contains password)"
echo "Security group : $SG_ID"
echo "CA certificate : $CA_CERT_PATH"
echo ""
echo "To connect with mongosh:"
echo " mongosh --tls --host ${CLUSTER_ENDPOINT} --tlsCAFile ${CA_CERT_PATH} \\"
echo " --retryWrites false --username ${MASTER_USER} --password \$(aws secretsmanager get-secret-value --secret-id ${SECRET_NAME} --query SecretString --output text)"
echo ""
###############################################################################
# Step 10: Cleanup
###############################################################################
echo ""
echo "==========================================="
echo "CLEANUP CONFIRMATION"
echo "==========================================="
echo ""
echo "Resources created:"
for r in "${CREATED_RESOURCES[@]}"; do
echo " - $r"
done
echo ""
echo "Do you want to clean up all created resources? (y/n): "
read -r CLEANUP_CHOICE
if [ "$CLEANUP_CHOICE" = "y" ] || [ "$CLEANUP_CHOICE" = "Y" ]; then
cleanup_resources
else
echo ""
echo "Resources were NOT deleted. To clean up manually, run:"
echo ""
echo " # Revoke security group ingress rule"
echo " aws ec2 revoke-security-group-ingress --group-id ${SG_ID} --protocol tcp --port ${DOCDB_PORT} --cidr ${MY_IP}/32"
echo ""
echo " # Delete instance (wait for it to finish before deleting cluster)"
echo " aws docdb delete-db-instance --db-instance-identifier ${INSTANCE_ID}"
echo " aws docdb wait db-instance-deleted --db-instance-identifier ${INSTANCE_ID}"
echo ""
echo " # Delete cluster"
echo " aws docdb delete-db-cluster --db-cluster-identifier ${CLUSTER_ID} --skip-final-snapshot"
echo ""
echo " # Delete subnet group (after cluster is deleted)"
echo " aws docdb delete-db-subnet-group --db-subnet-group-name ${SUBNET_GROUP_NAME}"
echo ""
echo " # Delete secret"
echo " aws secretsmanager delete-secret --secret-id ${SECRET_NAME} --force-delete-without-recovery"
echo ""
fi
rm -rf "$TEMP_DIR"
echo "Done."
```
+ For API details, see the following topics in *AWS CLI Command Reference*.
+ [AuthorizeSecurityGroupIngress](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/AuthorizeSecurityGroupIngress)
+ [CreateDbCluster](https://docs.aws.amazon.com/goto/aws-cli/docdb-2014-10-31/CreateDbCluster)
+ [CreateDbInstance](https://docs.aws.amazon.com/goto/aws-cli/docdb-2014-10-31/CreateDbInstance)
+ [CreateDbSubnetGroup](https://docs.aws.amazon.com/goto/aws-cli/docdb-2014-10-31/CreateDbSubnetGroup)
+ [CreateDefaultVpc](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/CreateDefaultVpc)
+ [CreateSecret](https://docs.aws.amazon.com/goto/aws-cli/secretsmanager-2017-10-17/CreateSecret)
+ [DeleteDbCluster](https://docs.aws.amazon.com/goto/aws-cli/docdb-2014-10-31/DeleteDbCluster)
+ [DeleteDbInstance](https://docs.aws.amazon.com/goto/aws-cli/docdb-2014-10-31/DeleteDbInstance)
+ [DeleteDbSubnetGroup](https://docs.aws.amazon.com/goto/aws-cli/docdb-2014-10-31/DeleteDbSubnetGroup)
+ [DeleteSecret](https://docs.aws.amazon.com/goto/aws-cli/secretsmanager-2017-10-17/DeleteSecret)
+ [DescribeDbClusters](https://docs.aws.amazon.com/goto/aws-cli/docdb-2014-10-31/DescribeDbClusters)
+ [DescribeDbInstances](https://docs.aws.amazon.com/goto/aws-cli/docdb-2014-10-31/DescribeDbInstances)
+ [DescribeSubnets](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/DescribeSubnets)
+ [DescribeVpcs](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/DescribeVpcs)
+ [GetSecretValue](https://docs.aws.amazon.com/goto/aws-cli/secretsmanager-2017-10-17/GetSecretValue)
+ [RevokeSecurityGroupIngress](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/RevokeSecurityGroupIngress)
+ [Wait](https://docs.aws.amazon.com/goto/aws-cli/docdb-2014-10-31/Wait)
### Moving hardcoded secrets to Secrets Manager
The following code example shows how to:
+ Create IAM roles
+ Create a secret in Secrets Manager
+ Update your application code
+ Update the secret
+ Clean up resources
**AWS CLI with Bash script**
There's more on GitHub. Find the complete example and learn how to set up and run in the [Sample developer tutorials](https://github.com/aws-samples/sample-developer-tutorials/tree/main/tuts/073-aws-secrets-manager-gs) repository.
```
#!/bin/bash
# Script to move hardcoded secrets to AWS Secrets Manager
# This script demonstrates how to create IAM roles, store a secret in AWS Secrets Manager,
# and set up appropriate permissions
# Set up logging
LOG_FILE="secrets_manager_tutorial.log"
exec > >(tee -a "$LOG_FILE") 2>&1
echo "Starting AWS Secrets Manager tutorial script at $(date)"
echo "======================================================"
# Function to check for errors in command output
check_error() {
local output=$1
local cmd=$2
if echo "$output" | grep -i "error" > /dev/null; then
echo "ERROR: Command failed: $cmd"
echo "$output"
cleanup_resources
exit 1
fi
}
# Function to generate a random identifier
generate_random_id() {
echo "sm$(cat /dev/urandom | tr -dc 'a-z0-9' | fold -w 8 | head -n 1)"
}
# Function to clean up resources
cleanup_resources() {
echo ""
echo "==========================================="
echo "RESOURCES CREATED"
echo "==========================================="
if [ -n "$SECRET_NAME" ]; then
echo "Secret: $SECRET_NAME"
fi
if [ -n "$RUNTIME_ROLE_NAME" ]; then
echo "IAM Role: $RUNTIME_ROLE_NAME"
fi
if [ -n "$ADMIN_ROLE_NAME" ]; then
echo "IAM Role: $ADMIN_ROLE_NAME"
fi
echo ""
echo "==========================================="
echo "CLEANUP CONFIRMATION"
echo "==========================================="
echo "Do you want to clean up all created resources? (y/n): "
read -r CLEANUP_CHOICE
if [[ "$CLEANUP_CHOICE" =~ ^[Yy]$ ]]; then
echo "Cleaning up resources..."
# Delete secret if it exists
if [ -n "$SECRET_NAME" ]; then
echo "Deleting secret: $SECRET_NAME"
aws secretsmanager delete-secret --secret-id "$SECRET_NAME" --force-delete-without-recovery
fi
# Detach policies and delete runtime role if it exists
if [ -n "$RUNTIME_ROLE_NAME" ]; then
echo "Deleting IAM role: $RUNTIME_ROLE_NAME"
aws iam delete-role --role-name "$RUNTIME_ROLE_NAME"
fi
# Detach policies and delete admin role if it exists
if [ -n "$ADMIN_ROLE_NAME" ]; then
echo "Detaching policy from role: $ADMIN_ROLE_NAME"
aws iam detach-role-policy --role-name "$ADMIN_ROLE_NAME" --policy-arn "arn:aws:iam::aws:policy/SecretsManagerReadWrite"
echo "Deleting IAM role: $ADMIN_ROLE_NAME"
aws iam delete-role --role-name "$ADMIN_ROLE_NAME"
fi
echo "Cleanup completed."
else
echo "Resources will not be deleted."
fi
}
# Trap to ensure cleanup on script exit
trap 'echo "Script interrupted. Running cleanup..."; cleanup_resources' INT TERM
# Generate random identifiers for resources
ADMIN_ROLE_NAME="SecretsManagerAdmin-$(generate_random_id)"
RUNTIME_ROLE_NAME="RoleToRetrieveSecretAtRuntime-$(generate_random_id)"
SECRET_NAME="MyAPIKey-$(generate_random_id)"
echo "Using the following resource names:"
echo "Admin Role: $ADMIN_ROLE_NAME"
echo "Runtime Role: $RUNTIME_ROLE_NAME"
echo "Secret Name: $SECRET_NAME"
echo ""
# Step 1: Create IAM roles
echo "Creating IAM roles..."
# Create the SecretsManagerAdmin role
echo "Creating admin role: $ADMIN_ROLE_NAME"
ADMIN_ROLE_OUTPUT=$(aws iam create-role \
--role-name "$ADMIN_ROLE_NAME" \
--assume-role-policy-document '{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}')
check_error "$ADMIN_ROLE_OUTPUT" "create-role for admin"
echo "$ADMIN_ROLE_OUTPUT"
# Attach the SecretsManagerReadWrite policy to the admin role
echo "Attaching SecretsManagerReadWrite policy to admin role"
ATTACH_POLICY_OUTPUT=$(aws iam attach-role-policy \
--role-name "$ADMIN_ROLE_NAME" \
--policy-arn "arn:aws:iam::aws:policy/SecretsManagerReadWrite")
check_error "$ATTACH_POLICY_OUTPUT" "attach-role-policy for admin"
echo "$ATTACH_POLICY_OUTPUT"
# Create the RoleToRetrieveSecretAtRuntime role
echo "Creating runtime role: $RUNTIME_ROLE_NAME"
RUNTIME_ROLE_OUTPUT=$(aws iam create-role \
--role-name "$RUNTIME_ROLE_NAME" \
--assume-role-policy-document '{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}')
check_error "$RUNTIME_ROLE_OUTPUT" "create-role for runtime"
echo "$RUNTIME_ROLE_OUTPUT"
# Wait for roles to be fully created
echo "Waiting for IAM roles to be fully created..."
sleep 10
# Step 2: Create a secret in AWS Secrets Manager
echo "Creating secret in AWS Secrets Manager..."
CREATE_SECRET_OUTPUT=$(aws secretsmanager create-secret \
--name "$SECRET_NAME" \
--description "API key for my application" \
--secret-string '{"ClientID":"my_client_id","ClientSecret":"wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"}')
check_error "$CREATE_SECRET_OUTPUT" "create-secret"
echo "$CREATE_SECRET_OUTPUT"
# Get AWS account ID
echo "Getting AWS account ID..."
ACCOUNT_ID_OUTPUT=$(aws sts get-caller-identity --query "Account" --output text)
check_error "$ACCOUNT_ID_OUTPUT" "get-caller-identity"
ACCOUNT_ID=$ACCOUNT_ID_OUTPUT
echo "Account ID: $ACCOUNT_ID"
# Add resource policy to the secret
echo "Adding resource policy to secret..."
RESOURCE_POLICY=$(cat <