Secrets Manager Client encapsulates business logic, best practices, and design patterns based on the Secrets Manager API. This allows you to easily integrate the capabilities of Secrets Manager into business systems. Secrets Manager Client allows you to dynamically use the secrets that are managed in Secrets Manager. This way, you no longer need to hard code sensitive data.

Features

Secrets Manager Client provides the following features:

  • Allows you to integrate the capabilities of Secrets Manager into applications. You can use a single line of code to read secret information.
  • Allows you to cache and refresh secrets in applications.
  • Encapsulates the API error-based retry mechanism to intelligently handle server errors.
  • Provides a plug-in design mode to allow you to customize features such as extended cache and error retry.

Secrets Manager Client for Java

Install a client

Key Management Service (KMS) provides Secrets Manager Client for Java. For more information about the source code of the client, visit alibabacloud-secretsmanager-client-java.

You can install Secrets Manager Client for Java by adding the following Maven dependency:

<dependency>
    <groupId>com.aliyun</groupId>
    <artifactId>alibabacloud-secretsmanager-client</artifactId>
    <version>x.x.x</version>
</dependency>
Note For more information about the versions of Secrets Manager Client for Java, visit alibabacloud-secretsmanager-client release.

Sample code

  • Construct a client by using the secretsmanager.properties configuration file

    We recommend that you create a client key-based application access point (AAP) and use the client key to call Secrets Manager SDK for Java. For more information about how to create a client key, see Bind a client key to the application access point.

    Secrets Manager Client for Java 1.1.8 or a later version allows you to access Secrets Manager by using client key-based AAPs. In this case, you must prepare the following configuration file:

    ## Specify the access method. 
    credentials_type=client_key
    
    ## Read the decryption password of the client key. You can read the password from an environment variable or a file. 
    client_key_password_from_env_variable=#your client key private key password environment variable name#
    client_key_password_from_file_path=#your client key private key password file path#
    
    ## Obtain the private key file of the client key. 
    client_key_private_key_path=#your client key private key file path#
    
    ## Specify the region of KMS. 
    cache_client_region_id=[{"regionId":"#regionId#"}]

    Sample code:

    import com.aliyuncs.kms.secretsmanager.client.SecretCacheClient;
    import com.aliyuncs.kms.secretsmanager.client.SecretCacheClientBuilder;
    import com.aliyuncs.kms.secretsmanager.client.exception.CacheSecretException;
    import com.aliyuncs.kms.secretsmanager.client.model.SecretInfo;
    
    public class CacheClientEnvironmentSample {
    
        public static void main(String[] args) {
            try {
                SecretCacheClient client = SecretCacheClientBuilder.newClient();
                SecretInfo secretInfo = client.getSecretInfo("#secretName#");
                System.out.println(secretInfo);
            } catch (CacheSecretException e) {
                e.printStackTrace();
            }
        }
    }
  • Construct a client by using parameters such as the AccessKey ID, AccessKey secret, and region ID
    import com.aliyuncs.kms.secretsmanager.client.SecretCacheClient;
    import com.aliyuncs.kms.secretsmanager.client.SecretCacheClientBuilder;
    import com.aliyuncs.kms.secretsmanager.client.exception.CacheSecretException;
    import com.aliyuncs.kms.secretsmanager.client.model.SecretInfo;
    import com.aliyuncs.kms.secretsmanager.client.service.BaseSecretManagerClientBuilder;
    import com.aliyuncs.kms.secretsmanager.client.utils.CredentialsProviderUtils;
    
    public class CacheClientSimpleParametersSample {
    
        public static void main(String[] args) {
            try {
                SecretCacheClient client = SecretCacheClientBuilder.newCacheClientBuilder(
                        BaseSecretManagerClientBuilder.standard().withCredentialsProvider(CredentialsProviderUtils
                                .withAccessKey("#accessKeyId#", "#accessKeySecret#")).withRegion("#regionId#").build()).build();
                SecretInfo secretInfo = client.getSecretInfo("#secretName#");
                System.out.println(secretInfo);
            } catch (CacheSecretException e) {
                e.printStackTrace();
            }
        }
    }
  • Construct a client by using custom parameters
    import com.aliyuncs.kms.secretsmanager.client.SecretCacheClient;
    import com.aliyuncs.kms.secretsmanager.client.SecretCacheClientBuilder;
    import com.aliyuncs.kms.secretsmanager.client.cache.FileCacheSecretStoreStrategy;
    import com.aliyuncs.kms.secretsmanager.client.exception.CacheSecretException;
    import com.aliyuncs.kms.secretsmanager.client.model.SecretInfo;
    import com.aliyuncs.kms.secretsmanager.client.service.BaseSecretManagerClientBuilder;
    import com.aliyuncs.kms.secretsmanager.client.service.DefaultRefreshSecretStrategy;
    import com.aliyuncs.kms.secretsmanager.client.service.FullJitterBackoffStrategy;
    import com.aliyuncs.kms.secretsmanager.client.utils.CredentialsProviderUtils;
    
    public class CacheClientDetailParametersSample {
    
        public static void main(String[] args) {
            try {
                SecretCacheClient client = SecretCacheClientBuilder.newCacheClientBuilder(BaseSecretManagerClientBuilder.standard()
                        .withCredentialsProvider(CredentialsProviderUtils.withAccessKey("#accessKeyId#", "#accessKeySecret#"))
                        .withRegion("#regionId#")
                        .withBackoffStrategy(new FullJitterBackoffStrategy(3, 2000, 10000)).build())
                        .withCacheSecretStrategy(new FileCacheSecretStoreStrategy("#cacheSecretPath#", true, "#salt#"))
                        .withRefreshSecretStrategy(new DefaultRefreshSecretStrategy("#ttlName#"))
                        .withCacheStage("#stage#")
                        .withSecretTTL("#secretName#", 1 * 60 * 1000l)
                        .withSecretTTL("#secretName1#", 2 * 60 * 1000l).build();
                SecretInfo secretInfo = client.getSecretInfo("#secretName#");
                System.out.println(secretInfo);
            } catch (CacheSecretException e) {
                e.printStackTrace();
            }
        }
    }

Secrets Manager Client for Python

Install a client

KMS provides Secrets Manager Client for Python. For more information about the source code of the client, visit aliyun-secretsmanager-client-python.

You can run the following pip command to install Secrets Manager Client for Python in your project:

pip install aliyun-secret-manager-client
Note For more information about the versions of Secrets Manager Client for Python, visit aliyun-secretsmanager-client-python.

Sample code

  • Construct a client by using environment variables
    from alibaba_cloud_secretsmanager_client.secret_manager_cache_client_builder import SecretManagerCacheClientBuilder
    
    if __name__ == '__main__':
        secret_cache_client = SecretManagerCacheClientBuilder.new_client()
        secret_info = secret_cache_client.get_secret_info("#secretName#")
        print(secret_info.__dict__)
  • Construct a client by using parameters such as the AccessKey ID, AccessKey secret, and region ID
    from alibaba_cloud_secretsmanager_client.secret_manager_cache_client_builder import SecretManagerCacheClientBuilder
    from alibaba_cloud_secretsmanager_client.service.default_secret_manager_client_builder import DefaultSecretManagerClientBuilder
    
    if __name__ == '__main__':
        secret_cache_client = SecretManagerCacheClientBuilder.new_cache_client_builder(DefaultSecretManagerClientBuilder.standard() \
            .with_access_key("#accessKeyId#", "#accessKeySecret#") \
            .with_region("#regionId#").build()) \
        .build();
        secret_info = secret_cache_client.get_secret_info("#secretName#")
        print(secret_info.__dict__)
  • Construct a client by using custom parameters
    from alibaba_cloud_secretsmanager_client.secret_manager_cache_client_builder import SecretManagerCacheClientBuilder
    from alibaba_cloud_secretsmanager_client.cache.file_cache_secret_store_strategy import FileCacheSecretStoreStrategy
    from alibaba_cloud_secretsmanager_client.service.default_secret_manager_client_builder import DefaultSecretManagerClientBuilder
    from alibaba_cloud_secretsmanager_client.service.default_refresh_secret_strategy import DefaultRefreshSecretStrategy
    from alibaba_cloud_secretsmanager_client.service.full_jitter_back_off_strategy import FullJitterBackoffStrategy
    
    if __name__ == '__main__':
        secret_cache_client = SecretManagerCacheClientBuilder \
        .new_cache_client_builder(DefaultSecretManagerClientBuilder.standard().with_access_key("#accessKeyId#", "#accessKeySecret#") \
             .with_back_off_strategy(FullJitterBackoffStrategy(3, 2000, 10000)) \
             .with_region("#regionId#").build()) \
         .with_cache_secret_strategy(FileCacheSecretStoreStrategy("#cacheSecretPath#", True,"#salt#")) \
         .with_refresh_secret_strategy(DefaultRefreshSecretStrategy("#ttlName#")) \
         .with_cache_stage("#stage#") \
         .with_secret_ttl("#secretName#", 1 * 60 * 1000l) \
         .build()
        secret_info = secret_cache_client.get_secret_info("#secretName#")
        print(secret_info.__dict__)

Secrets Manager Client for Go

Install a client

KMS provides Secrets Manager Client for Go. For more information about the source code of the client, visit aliyun-secretsmanager-client-go.

You can run the following command to install Secrets Manager Client for Go in your project:

 go get -u github.com/aliyun/aliyun-secretsmanager-client-go
Note For more information about the versions of Secrets Manager Client for Go, visit aliyun-secretsmanager-client-go.

Sample code

  • Construct a client by using the secretsmanager.properties configuration file

    We recommend that you create a client key-based AAP and use the client key to call Secrets Manager SDK for Java. For more information about how to create a client key, see Bind a client key to the application access point.

    Secrets Manager Client for Go 1.0.1 or a later version allows you to access Secrets Manager by using client key-based AAPs. In this case, you must prepare the following configuration file:

    ## Specify the access method. 
    credentials_type=client_key
    
    ## Read the decryption password of the client key. You can read the password from an environment variable or a file. 
    client_key_password_from_env_variable=#your client key private key password environment variable name#
    client_key_password_from_file_path=#your client key private key password file path#
    
    ## Obtain the private key file of the client key. 
    client_key_private_key_path=#your client key private key file path#
    
    ## Specify the region of KMS. 
    cache_client_region_id=[{"regionId":"#regionId#"}]

    Sample code:

    package main
    
    import (
        "fmt"
        "github.com/aliyun/aliyun-secretsmanager-client-go/sdk"
    )
    
    func main() {
        client, err := sdk.NewClient()
        if err != nil {
            // Handle exceptions
            panic(err)
        }
        secretInfo, err := client.GetSecretInfo("#secretName#")
        if err != nil {
            // Handle exceptions
            panic(err)
        }
        fmt.Printf("SecretValue:%s\n",secretInfo.SecretValue)
    }
  • Construct a client by using parameters such as the AccessKey ID, AccessKey secret, and region ID
    package main
    
    import (
        "fmt"
        "github.com/aliyun/aliyun-secretsmanager-client-go/sdk/service"
        "github.com/aliyun/aliyun-secretsmanager-client-go/sdk"
    )
    
    func main() {
        client, err := sdk.NewSecretCacheClientBuilder(service.NewDefaultSecretManagerClientBuilder().Standard().WithAccessKey("#accessKeyId#", "#accessKeySecret#").WithRegion("#regionId#").Build()).Build()
        if err != nil {
            // Handle exceptions
            panic(err)
        }
        secretInfo, err := client.GetSecretInfo("#secretName#")
        if err != nil {
            // Handle exceptions
            panic(err)
        }
        fmt.Printf("SecretValue:%s\n",secretInfo.SecretValue)
    }
  • Construct a client by using custom parameters
    package main
    
    import (
        "fmt"
        "github.com/aliyun/aliyun-secretsmanager-client-go/sdk/service"
        "github.com/aliyun/aliyun-secretsmanager-client-go/sdk"
        "github.com/aliyun/aliyun-secretsmanager-client-go/sdk/cache"
    )
    
    func main() {
        client, err := sdk.NewSecretCacheClientBuilder(
            service.NewDefaultSecretManagerClientBuilder().Standard().WithAccessKey("#accessKeyId#", "#accessKeySecret#").WithRegion("#regionId#").WithBackoffStrategy(&service.FullJitterBackoffStrategy{RetryMaxAttempts: 3, RetryInitialIntervalMills: 2000, Capacity: 10000}).Build()).WithCacheSecretStrategy(cache.NewFileCacheSecretStoreStrategy("#cacheSecretPath#", true, "#salt#")).WithRefreshSecretStrategy(service.NewDefaultRefreshSecretStrategy("#jsonTTLPropertyName#")).WithCacheStage("ACSCurrent").WithSecretTTL("#secretName#", 1*60*1000).Build()
        if err != nil {
            // Handle exceptions
            panic(err)
        }
        secretInfo, err := client.GetSecretInfo("#secretName#")
        if err != nil {
            // Handle exceptions
            panic(err)
        }
        fmt.Printf("SecretValue:%s\n",secretInfo.SecretValue)
    }