diff --git a/packages/aws-cdk-lib/aws-rds/lib/cluster.ts b/packages/aws-cdk-lib/aws-rds/lib/cluster.ts index 4f831a78aea79..25f452db06d80 100644 --- a/packages/aws-cdk-lib/aws-rds/lib/cluster.ts +++ b/packages/aws-cdk-lib/aws-rds/lib/cluster.ts @@ -1099,6 +1099,20 @@ export class DatabaseCluster extends DatabaseClusterNew { constructor(scope: Construct, id: string, props: DatabaseClusterProps) { super(scope, id, props); + if ( + props.manageMasterUserPassword && + ( + props.credentials?.excludeCharacters || + props.credentials?.password || + props.credentials?.replicaRegions || + props.credentials?.secret || + props.credentials?.secretName || + props.credentials?.usernameAsString + ) + ) { + throw new Error('Only the `username` and `encryptionKey` credentials properties may be used when `manageMasterUserPassword` is true'); + } + let cluster: CfnDBCluster; if (!props.manageMasterUserPassword) { const credentials = renderCredentials(this, props.engine, props.credentials);