Amazon Redshift will no longer support the creation of new Python UDFs starting Patch 198. Existing Python UDFs will continue to function until June 30, 2026. For more information, see the [ blog post ](https://aws.amazon.com/blogs/big-data/amazon-redshift-python-user-defined-functions-will-reach-end-of-support-after-june-30-2026/).
# Managing Amazon Redshift admin passwords using AWS Secrets Manager
Amazon Redshift can integrate with AWS Secrets Manager to generate and manage your admin credentials inside an encrypted secret. With AWS Secrets Manager, you can replace your admin passwords with an API call to programmatically retrieve the secret when it’s needed. Using secrets instead of hard-coded credentials reduces the risk of those credentials being exposed or compromised. For more information about AWS Secrets Manager, see the [https://docs.aws.amazon.com/secretsmanager/latest/userguide/intro.html](https://docs.aws.amazon.com/secretsmanager/latest/userguide/intro.html).
You can specify that Amazon Redshift manages your admin password using AWS Secrets Manager when you perform one of the following operations:
+ Create a provisioned cluster or serverless namespace
+ Edit, update, or modify the admin credentials of a provisioned cluster or serverless namespace
+ Restore a cluster or serverless namespace from a snapshot
When you specify that Amazon Redshift manages the admin password in AWS Secrets Manager, Amazon Redshift generates the password and stores it in Secrets Manager. You can access the secret directly in AWS Secrets Manager to retrieve the credentials for the admin user. Optionally, you can specify a customer managed key to encrypt the secret if you need to access the secret from another AWS account. You can also use the KMS key that AWS Secrets Manager provides.
Amazon Redshift manages the settings for the secret and rotates the secret every 30 days by default. You can manually rotate the secret at any time. If you delete a provisioned cluster or serverless namespace that manages a secret in AWS Secrets Manager, the secret and its associated metadata are also deleted.
To connect to a cluster or serverless namespace with secret-managed credentials, you can retrieve the secret from AWS Secrets Manager using the Secrets Manager console or the `GetSecretValue` Secrets Manager API call. For more information, see [Retrieve secrets from AWS Secrets Manager](https://docs.aws.amazon.com/secretsmanager/latest/userguide/retrieving-secrets.html) and [Connect to a SQL database with credentials in an AWS Secrets Manager secret](https://docs.aws.amazon.com/secretsmanager/latest/userguide/retrieving-secrets_jdbc.html) in the *AWS Secrets Manager User Guide*.
## Permissions required for AWS Secrets Manager integration
Users must have the required permissions to perform operations related to AWS Secrets Manager integration. Create IAM policies that grant permissions to perform specific API operations on the specified resources they need. Then attach those policies to the IAM permission sets or roles that require those permissions. For more information, see [Identity and access management in Amazon Redshift](redshift-iam-authentication-access-control.md).
The user who specifies that Amazon Redshift manages the admin password in AWS Secrets Manager must have permissions to perform the following operations:
+ `secretsmanager:CreateSecret`
+ `secretsmanager:RotateSecret`
+ `secretsmanager:DescribeSecret`
+ `secretsmanager:UpdateSecret`
+ `secretsmanager:DeleteSecret`
+ `secretsmanager:GetRandomPassword`
+ `secretsmanager:TagResource`
If the user wants to pass a KMS key in the `MasterPasswordSecretKmsKeyId` parameter for provisioned clusters, or the `AdminPasswordSecretKmsKeyId` parameter for serverless namespaces, they require the following permissions in addition to the permissions listed above.
+ `kms:Decrypt`
+ `kms:GenerateDataKey`
+ `kms:CreateGrant`
+ `kms:RetireGrant`
## Admin password secret rotation
By default, Amazon Redshift automatically rotates your secret every 30 days to ensure your credentials don’t stay the same for prolonged periods. When Amazon Redshift rotates an admin password secret, AWS Secrets Manager updates the existing secret to contain a new admin password. Amazon Redshift changes the admin password for the cluster to match the password in the updated secret.
You can rotate a secret immediately instead of waiting for a scheduled rotation by using AWS Secrets Manager. For more information on rotating secrets, see [Rotate AWS Secrets Manager secrets](https://docs.aws.amazon.com/secretsmanager/latest/userguide/retrieving-secrets_jdbc.html) in the *AWS Secrets Manager User Guide*.
## Considerations using AWS Secrets Manager with Amazon Redshift
When using AWS Secrets Manager to manage your provisioned cluster or serverless namespace’s admin credentials, consider the following:
+ When you pause a cluster whose admin credentials are managed by AWS Secrets Manager, your cluster's secret won't be deleted and you'll continue to be billed for the secret. Secrets are only deleted when you delete the cluster.
+ If your cluster is paused when Amazon Redshift attempts to rotate its attached secret, the rotation will fail. In this case, Amazon Redshift stops auto-rotation and won’t try to rotate it again, even after you resume the cluster. You must restart the auto-rotation schedule using the `secretsmanager:RotateSecret` API call to continue having AWS Secrets Manager automatically rotate your secret.
+ If your serverless namespace doesn’t have a workgroup associated when Amazon Redshift attempts to rotate its attached secret, the rotation will fail and won’t try to rotate it again, even after you attach a workgroup. You must restart the auto-rotation schedule using the `secretsmanager:RotateSecret` API call to continue having AWS Secrets Manager automatically rotate your secret.
# Retrieving the Amazon Resource Name (ARN) of the secret in Amazon Redshift
You can view the Amazon Resource Name (ARN) for any secrets being managed by AWS Secrets Manager using the Amazon Redshift console. Once you have the secret’s ARN, you can view details about your secret and the encrypted data in your secret using AWS Secrets Manager. For more information on retrieving secrets using the ARN, see [Retrieve secrets](https://docs.aws.amazon.com/secretsmanager/latest/userguide/retrieving-secrets.html) in the *AWS Secrets Manager User Guide*.
**Viewing the details about a secret for an Amazon Redshift provisioned cluster**
View the Amazon Resource Name (ARN) for your cluster's secret using the Amazon Redshift console with the following procedure:
1. Sign in to the AWS Management Console and open the Amazon Redshift console.
1. In the **Cluster overview** pane, choose the cluster whose secret you want to view.
1. Choose the **Properties** tab.
1. View the secret's ARN under **Admin credentials ARN**. This ARN is the identifier for the secret, which you can use in AWS Secrets Manager to view the secret's details.
**Viewing the details about a secret for an Amazon Redshift Serverless namespace**
View the Amazon Resource Name (ARN) for your serverless namespace's secret using the Amazon Redshift console with the following procedure:
1. Sign in to the AWS Management Console and open the Amazon Redshift console.
1. From the **Provisioned clusters** dashboard, choose **Go to Serverless** in the upper right of the page.
1. From the **Serverless dashboard**, scroll to the **Namespaces / Workgroups** pane and choose the namespace whose secret you want to view.
1. In the **General information** pane, view the secret's ARN under **Admin credentials ARN**. This ARN is the identifier for the secret, which you can use in AWS Secrets Manager to view the secret's details.
# Creating a secret for database connection credentials
You can create a Secrets Manager secret to store credentials used to connect to an Amazon Redshift provisioned cluster or Redshift Serverless namespace and workgroup. You can also use this secret when scheduling a query in Amazon Redshift query editor v2.
**To create a secret for a database in an Amazon Redshift provisioned cluster using the Secrets Manager console**
1. Open the Secrets Manager console ([https://console.aws.amazon.com/secretsmanager/](https://console.aws.amazon.com/secretsmanager/)).
1. Navigate to the list of **Secrets** and choose **Store a new secret**.
1. Choose **Credentials for Amazon Redshift data warehouse**. Enter your information in the steps to create a secret as follows:
+ In **Credentials** for **User name**, enter the name of the administrative user of the data warehouse.
+ In **Credentials** for **Password**, enter the password for the **User name**.
+ For **Encryption key**, choose your encryption key.
+ For **Data warehouse**, choose the Amazon Redshift provisioned cluster that contains your data.
+ For **Secret name**, enter a name for the secret.
+ For **Description**, enter a description of the secret.
+ For **Tags**, enter a **Tag key** with the word **Redshift**. This tag key is needed to list secrets when you attempt to connect to your data warehouse using Amazon Redshift query editor v2. The secret must have a tag key that starts with the string **Redshift** for the secret to be listed under AWS Secrets Manager on the management console.
1. Continue entering information about your secret through several steps until you **Store** your changes on the **Review** step.
The specific values of your credentials, engine, host, port, and cluster identifier are stored in the secret. Also, the secret is tagged with the tag key `Redshift`.
**To create a secret for a database in a Redshift Serverless namespace using the Redshift Serverless console**
1. Sign in to the AWS Management Console and open the Amazon Redshift console at [https://console.aws.amazon.com/redshiftv2/](https://console.aws.amazon.com/redshiftv2/).
1. Choose **Redshift serverless** and navigate to **Namespace configuration**.
1. Choose a namespace for which to create secret credentials.
1. Open **Actions**, **Edit admin credentials**.
1. For **Admin password**, choose **Manage admin credentials in AWS Secrets Manager**.
1. Choose **Save changes** to save your changes.
Confirm that a message appears that the password successfully changed. You can also view the secret in the Secrets Manager console. You can use this secret to connect to a database in a workgroup in the Redshift Serverless console and Amazon Redshift query editor v2, using the AWS Secrets Manager connection method. The secret must have a tag key that starts with the string "Redshift" for the secret to be listed on the query editor v2 web application. The secret must have a tag key that starts with the string **Redshift** for the secret to be listed under AWS Secrets Manager on the management console.
**To create a secret for a database in a Redshift Serverless namespace using the Secrets Manager console**
1. Open the Secrets Manager console ([https://console.aws.amazon.com/secretsmanager/](https://console.aws.amazon.com/secretsmanager/)).
1. Navigate to the list of **Secrets** and choose **Store a new secret**.
1. Choose **Credentials for Amazon Redshift data warehouse**. Enter your information in the steps to create a secret as follows:
+ In **Credentials** for **User name**, enter the name of the administrative user of the data warehouse.
+ In **Credentials** for **Password**, enter the password for the **User name**.
+ For **Encryption key**, choose your encryption key.
+ For **Data warehouse**, choose the Redshift Serverless namespace that contains your data.
+ For **Secret name**, enter a name for the secret.
+ For **Description**, enter a description of the secret.
+ For **Tags**, enter a **Tag key** with the word **Redshift**. This tag key is needed to list secrets when you attempt to connect to your data warehouse using Amazon Redshift query editor v2. The secret must have a tag key that starts with the string **Redshift** for the secret to be listed under AWS Secrets Manager on the management console.
1. Continue entering information about your secret through several steps until you **Store** your changes on the **Review** step.
The specific values of your credentials, database name, host, port, namespace, and engine are stored in the secret. Also, the secret is tagged with the tag key `Redshift`.
**To create a secret for a database in a Redshift Serverless namespace using the AWS CLI**
You can use the AWS CLI to create a secret. One method is to use AWS CloudShell to run the Secrets Manager AWS CLI command as follows. You must have the proper permissions to run the AWS CLI commands shown in the following procedure.
1. On the AWS console, open the AWS CloudShell command prompt. For more information about AWS CloudShell, see [What is AWS CloudShell](https://docs.aws.amazon.com/cloudshell/latest/userguide/welcome.html) in the *AWS CloudShell User Guide*.
1. For example, for the secret `MyTestSecret` enter an Secrets Manager command to store the secret that is used to connect to a database or schedule an Amazon Redshift query editor v2 query. Replace the following values in the command with values for your environment:
+ *admin* is the administrator user name for the data warehouse.
+ *passw0rd* is the password of the administrator.
+ *dev* is the initial database name in the data warehouse.
+ *region* is the AWS Region that contains the data warehouse. For example `us-east-1`.
+ *123456789012* is the AWS account.
+ *namespace-id* is the namespace identifier similar to `c3928f0e-c889-4d2b-97a5-5738324d5d3e`. You can find this identifier on the Amazon Redshift console details page for the serverless namespace.
```
aws secretsmanager create-secret \
--name MyTestSecret \
--description "My test secret created with the CLI." \
--secret-string "{\"username\":\"admin\",\"password\":\"passw0rd\",\"dbname\":\"dev\",\"engine\":\"redshift\"}" \
--tags "[{\"Key\":\"redshift-serverless:namespaceArn\",\"Value\":\"arn:aws:redshift-serverless:region:123456789012:namespace/namespace-id\"}]"
```