Secrets Manager JDBC - Key Management Service - Alibaba Cloud Documentation Center

Secrets Manager JDBC encapsulates business logic, best practices, and design patterns based on dynamic ApsaraDB RDS secrets provided by Secrets Manager. Secrets Manager JDBC allows you to integrate Secrets Manager with your business systems. Secrets Manager JDBC allows you to use dynamic ApsaraDB RDS secrets in database applications. This eliminates the need to hard code the passwords of database accounts.

Features

Provides common Java Database Connectivity (JDBC) drivers and simple database connections.
Connects to databases by using c3p0 or Database Connection Pools (DBCPs).
Allows you to obtain dynamic ApsaraDB RDS secrets by using different access methods. For example, you can use AccessKey pairs, Security Token Service (STS), or RAM roles of Elastic Compute Service (ECS) instances to obtain dynamic ApsaraDB RDS secrets.
Allows you to customize rotation intervals for secrets.

Limits

Only dynamic ApsaraDB RDS secrets are supported. We recommend that you use dynamic ApsaraDB RDS secrets in Manage Dual Account mode. For more information about how to create a dynamic ApsaraDB RDS secret, see Create a dynamic ApsaraDB RDS secret.
Only Java 1.8 or later is supported.
Only the ApsaraDB RDS instances that run MySQL, SQL Server, PostgreSQL, or MariaDB TX are supported.

Install Secrets Manager JDBC

Secrets Manager JDBC is developed in Java. For more information about how to install Secrets Manager JDBC, visit aliyun-secretsmanager-jdbc.

You can install Secrets Manager JDBC by adding the following Maven dependency:

<dependency>
    <groupId>com.aliyun</groupId>
    <artifactId>aliyun-secretsmanager-jdbc</artifactId>
    <version>x.x.x</version>
</dependency>

Note For more information about the versions of Secrets Manager JDBC, visit aliyun-secretsmanager-jdbc release.

Configure an access method

When Secrets Manager JDBC starts, it checks the secretsmanager.properties file for the access method. The following examples show how to configure different access methods:

Access Secrets Manager by using the client key of an application access point

This method is recommended. For more information about how to create a client key, see Bind a client key to the application access point.

Note Secrets Manager JDBC 1.0.7 and later versions support the use of the client key of an application access point to access Secrets Manager.

## Specify the access method. 
credentials_type=client_key
## Read the decryption password of the client key. You can read the password from an environment variable or file. 
client_key_password_from_env_variable=#your client key private key password environment variable name#
client_key_password_from_file_path=#your client key private key password file path#
## Read the private key file of the client key. 
client_key_private_key_path=#your client key private key file path#
## Specify the region of Key Management Service (KMS). 
cache_client_region_id=[{"regionId":"#regionId#"}]

Access Secrets Manager by using the AccessKey pair

## Specify the access method. 
credentials_type=ak
## Specify the AccessKey ID. 
credentials_access_key_id=#credentials_access_key_id#
## Specify the AccessKey secret. 
credentials_access_secret=#credentials_access_secret#
## Specify the region of KMS. 
cache_client_region_id=[{"regionId":"#regionId#"}]
## Customize the rotation interval. Default value: 21600000. Minimum value: 300000. Unit: milliseconds. The default value is equivalent to 6 hours, and the minimum value is equivalent to 5 minutes. 
refresh_secret_ttl=21600000

Note For more information about how to obtain an AccessKey pair, see Obtain an AccessKey pair.

Access Secrets Manager by using STS

## Specify the access method. 
credentials_type=sts
## Specify the AccessKey ID. 
credentials_access_key_id=#credentials_access_key_id#
## Specify the AccessKey secret. 
credentials_access_secret=#credentials_access_secret#
## Specify the name of the session in which dynamic ApsaraDB RDS secrets are obtained. 
credentials_role_session_name=#credentials_role_session_name#
## Specify the Alibaba Cloud Resource Name (ARN) of the RAM role. 
credentials_role_arn=#credentials_role_arn#
## Specify the policy that is used to obtain dynamic ApsaraDB RDS secrets. 
credentials_policy=#credentials_policy#
## Specify the region of KMS. 
cache_client_region_id=[{"regionId":"#regionId#"}]
## Customize the rotation interval. Default value: 21600000. Minimum value: 300000. Unit: milliseconds. The default value is equivalent to 6 hours, and the minimum value is equivalent to 5 minutes. 
refresh_secret_ttl=21600000

Note For more information about how to obtain an AccessKey pair, see Obtain an AccessKey pair.

Access Secrets Manager by using the RAM role of an ECS instance

## Specify the access method. 
credentials_type=ecs_ram_role
## Specify the name of the RAM role. 
credentials_role_name=#credentials_role_name#
## Specify the region of KMS. 
cache_client_region_id=[{"regionId":"#regionId#"}]
## Customize the rotation interval. Default value: 21600000. Minimum value: 300000. Unit: milliseconds. The default value is equivalent to 6 hours, and the minimum value is equivalent to 5 minutes. 
refresh_secret_ttl=21600000

Note For more information about how to create a RAM role and assign the RAM role to an ECS instance, see Access KMS from an ECS instance in a secure manner.

Sample codes

Access a database by using JDBC

The following sample code provides an example on how to access an ApsaraDB RDS for MySQL instance by using JDBC:

import java.sql.Connection;
import java.sql.DriverManager;
import java.sql.SQLException;

public class SecretManagerJDBCSample {

    public static void main(String[] args) throws Exception {
        Class.forName("com.aliyun.kms.secretsmanager.MysqlSecretsManagerSimpleDriver");
        Connection connect = null;
        try {
            connect = DriverManager.getConnection("secrets-manager:mysql://<your-mysql-ip>:<your-mysql-port>/<your-database-name>", "#your-mysql-secret-name#","");
        } catch(SQLException e) {
            e.printStackTrace();
        }
    }
}

Access a database by using a c3p0 connection pool

The following sample code provides an example of the c3p0.properties configuration file:

c3p0.user=#your-mysql-secret-name#
c3p0.driverClass=com.aliyun.kms.secretsmanager.MysqlSecretsManagerSimpleDriver
c3p0.jdbcUrl=secrets-manager:mysql://<your-mysql-ip>:<your-mysql-port>/<your-database-name>

Access a database by using an open source framework

The following sample code provides an example of the Spring configuration file:

<bean id="dataSource" class="com.mchange.v2.c3p0.ComboPooledDataSource" >
      <property name="driverClass" value="com.aliyun.kms.secretsmanager.MysqlSecretsManagerSimpleDriver" />
      <property name="user" value="#your-mysql-secret-name#" />
      <property name="jdbcUrl" value="secrets-manager:mysql://<your-mysql-ip>:<your-mysql-port>/<your-database-name>" />
      <property name="maxPoolSize" value="500" />
      <property name="minPoolSize" value="5" />
      <property name="initialPoolSize" value="20" />
  </bean>
  <bean id="jdbcTemplate" class="org.springframework.jdbc.core.JdbcTemplate" >
      <property name="dataSource" ref="dataSource" />
  </bean>