This library will help you to decouple your application of your secrets provider. It supports the following conectors to get secrets:
- AWS Secrets Manager Sync
- AWS Secrets Manager Async (Non blocking flows)
- AWS Parameter Store Sync
- AWS Parameter Store Async (Non blocking flows)
- File Secrets (E.g Kubernetes Secrets )
- Environment System Secrets (E.g Kubernetes Secrets )
SecretsManager compatibility
| Version | Spring Boot | AWS Bom | Java |
|---|---|---|---|
| 4.0.0 | 3.0.2 | 2.19.31 | 11+ |
| 3.2.0 | 2.7.6 | 2.18.39 | 8+ |
| 3.1.1 | 2.6.7 | 2.17.184 | 8+ |
dependencies {
implementation 'com.github.bancolombia:aws-secrets-manager-sync:<version-here>'
}import co.com.bancolombia.secretsmanager.api.GenericManager;
import co.com.bancolombia.secretsmanager.connector.AWSSecretManagerConnector;
String REGION_SECRET = "us-east-1";
String NAME_SECRET = "secretName";
GenericManager connector = new AWSSecretManagerConnector(REGION_SECRET);
try {
DefineYourModel secret = connector.getSecret(NAME_SECRET, DefineYourModel.class);
...
} catch(Exception e) {
...
}Remind you have to define your model with the fields you will need. You can find a default AWSSecretDBModel model, it includes default fields to connect a RDS database.
To convert JSON to a POJO, it uses Gson. If you need use field with custom names, you have to create your model like:
package co.com.bancolombia...;
import com.google.gson.annotations.SerializedName;
public class DefineYourModel {
@SerializedName("aes_key")
private String aesKey;
@SerializedName("rsa_key")
private String rsaKey;
...
}dependencies {
// Reactor Core is required!
implementation group: 'io.projectreactor', name: 'reactor-core', version: '3.4.17'
// secrets-manager-async
implementation 'com.github.bancolombia:aws-secrets-manager-async:<version-here>'
}Define your configuration:
// Default Config
AWSSecretsManagerConfig config = AWSSecretsManagerConfig.builder().build();
// Customized config
AWSSecretsManagerConfig config = AWSSecretsManagerConfig.builder()
.region(Region.US_EAST_1) //define your region
.cacheSeconds(600) //define your cache time
.cacheSize(300) //define your cache size
.endpoint("http://localhost:4566") // Override the enpoint
.build();You can pass the following variables to AWSSecretsManagerConfig:
- region: AWS Region that you are using, "us-east-1" (North virginia) is the default value.
- cacheSeconds: During this time the secret requested to AWS Secrets Manager will be saved in memory. The next requests to the same secret will be resolved from the cache. The default value is 0 (no cache).
- cacheSize: The maximum amount of secrets you want to save in cache. The default value is 0.
- endpoint: The AWS endpoint is the default value but you can override it if you want to test locally with localStack or others tools.
Create the connector:
AWSSecretManagerConnectorAsync connector = new AWSSecretManagerConnectorAsync(config);Get the secret in String:
connector.getSecret("secretName")
.doOnNext(System.out::println);
// ... develop your async flowGet the secret deserialized:
connector.getSecret("pruebaLibreria", DefineYourModel.class)
.doOnNext(secret -> {
//... develop your async flow
})dependencies {
implementation 'com.github.bancolombia:aws-parameter-store-manager-sync:<version-here>'
}import co.com.bancolombia.secretsmanager.api.GenericManager;
import co.com.bancolombia.secretsmanager.connector.AWSParameterStoreConnector;
String REGION_PARAMETER = "us-east-1";
String NAME_PARAMETER = "parameterName";
GenericManager connector = new AWSParameterStoreConnector(REGION_PARAMETER);
try {
String parameter = connector.getSecret(NAME_PARAMETER);
...
} catch(SecretException e) {
...
}dependencies {
// Reactor Core is required!
implementation 'io.projectreactor:reactor-core:3.4.17'
// parameter-store-manager-async
implementation 'com.github.bancolombia:aws-parameter-store-manager-async:<version-here>'
}Define your configuration:
// Default Config
AWSParameterStoreConfig config = AWSParameterStoreConfig.builder().build();
// Customized config
AWSParameterStoreConfig config = AWSParameterStoreConfig.builder()
.region(Region.US_EAST_1) //define your region
.cacheSeconds(600) //define your cache time
.cacheSize(300) //define your cache size
.endpoint("http://localhost:4566") // Override the enpoint
.build();You can pass the following variables to AWSParameterStoreConfig:
- region: AWS Region that you are using, "us-east-1" (North virginia) is the default value.
- cacheSeconds: During this time the secret requested to AWS Secrets Manager will be saved in memory. The next requests to the same secret will be resolved from the cache. The default value is 0 (no cache).
- cacheSize: The maximum amount of secrets you want to save in cache. The default value is 0.
- endpoint: The AWS endpoint is the default value but you can override it if you want to test locally with localStack or others tools.
Create the connector:
AWSParameterStoreConnectorAsync connector = new AWSParameterStoreConnectorAsync(config);Get the secret in String:
connector.getSecret("parameterName")
.doOnNext(System.out::println);
// ... develop your async flowdependencies {
implementation 'com.github.bancolombia:env-secrets-manager:<version-here>'
}dependencies {
implementation 'com.github.bancolombia:file-secrets-manager:<version-here>'
}Great !!:
- Clone this repo
- Create a new feature branch
- Add new features or improvements
- Send us a Pull Request
- New connectors for other services.
- Vault
- Key Vault Azure
- Improve our tests
React
Typescript
Django
Laravel
Facebook
Microsoft
Google
Alibaba
D3
Tencent