Applications can access Secrets Manager by using multiple methods to use dynamic secrets.

Methods

The following table describes the methods that can be used by applications to access Secrets Manager.

Method Description Scenario
KMS SDK KMS SDKs allow you to construct HTTPS requests to make better use of the KMS API.
  • Obtain secrets at a less frequent rate.
  • Create or delete secrets, or add new versions of secret values.
Secrets Manager Client Secrets Manager Client allows you to configure the frequency at which Secrets Manager Client obtains secrets from Secrets Manager and refreshes the cache.
  • Obtain secrets on a client at regular intervals or at a frequent rate.
  • Perform secret-related operations.
Secrets Manager JDBC Secrets Manager JDBC allows you to use secrets managed in Secrets Manager by establishing Java Database Connectivity (JDBC) connections. Use managed ApsaraDB RDS secrets and Java programs to access databases.
Managed secret plug-ins for Alibaba Cloud SDKs Managed secret plug-ins for Alibaba Cloud SDKs allow you to use managed Resource Access Management (RAM) secrets to access Alibaba Cloud services in a more efficient manner. Use managed RAM secrets to access Alibaba Cloud services.
Secrets Manager Kubernetes plug-in The Secrets Manager Kubernetes plug-in allows you to integrate Secrets Manager with your system in a quick and codeless manner. Update configurations in a codeless manner at regular intervals.

Use KMS SDK

This example shows how to use KMS SDK for Java and use dynamic ApsaraDB RDS secrets in an application. If you use other types of secrets instead of dynamic ApsaraDB RDS secrets, you can also use this method.

  1. Obtain the dependency declaration of KMS SDK for Java.
    For more information about the required SDK versions, see SDK overview. Example:
     <dependency>
        <groupId>com.aliyun</groupId>
        <artifactId>aliyun-java-sdk-core</artifactId>
        <version>4.5.16</version>
      </dependency>
      <dependency>
        <groupId>com.aliyun</groupId>
        <artifactId>aliyun-java-sdk-kms</artifactId>
        <version>2.12.0</version>
      </dependency>
      <dependency>
        <groupId>com.alibaba</groupId>
        <artifactId>fastjson</artifactId>
        <version>1.2.9</version>
      </dependency>
      <dependency>
        <groupId>org.apache.commons</groupId>
        <artifactId>commons-lang3</artifactId>
        <version>3.4</version>
      </dependency> 
  2. Connect an application to Secrets Manager to obtain the username and password of the account that is used to connect to a database. Then, establish a connection to the database.
    Example:
    package com.aliyun.kms.samples;
    
    import com.alibaba.fastjson.JSON;
    import com.alibaba.fastjson.JSONObject;
    import com.aliyuncs.DefaultAcsClient;
    import com.aliyuncs.exceptions.ClientException;
    import com.aliyuncs.http.FormatType;
    import com.aliyuncs.http.MethodType;
    import com.aliyuncs.http.ProtocolType;
    import com.aliyuncs.kms.model.v20160120.GetSecretValueRequest;
    import com.aliyuncs.kms.model.v20160120.GetSecretValueResponse;
    import com.aliyuncs.profile.DefaultProfile;
    import com.aliyuncs.profile.IClientProfile;
    import org.apache.commons.lang3.tuple.Pair;
    
    import java.sql.Connection;
    import java.sql.DriverManager;
    import java.sql.SQLException;
    
    public class RdsSecretSampleCode {
    
        private static final String MYSQL_JDBC_DRIVER = "com.mysql.jdbc.Driver";
        private static final String MSSQL_JDBC_DRIVER = "com.microsoft.sqlserver.jdbc.SQLServerDriver";
    
        private static KmsClient kmsClient;
    
        static {
            kmsClient = KmsClient.getKMSClient("<regionId>", "<accessKeyId>", "<accessKeySecret>");
        }
    
        static class KmsClient {
            private DefaultAcsClient acsClient;
    
            private KmsClient(DefaultAcsClient acsClient) {
                this.acsClient = acsClient;
            }
    
            private static KmsClient getKMSClient(String regionId, String accessKeyId, String accessKeySecret) {
                IClientProfile profile = DefaultProfile.getProfile(regionId, accessKeyId, accessKeySecret);
                DefaultAcsClient client = new DefaultAcsClient(profile);
                return new KmsClient(client);
            }
        }
    
        // Obtain the connection string of a database that is created on an ApsaraDB RDS for MySQL instance by using the obtained secret. 
        public static Connection getMySQLConnectionBySecret(String secretName, String jdbcUrl) throws ClassNotFoundException, SQLException, ClientException {
            Class.forName(MYSQL_JDBC_DRIVER);
            Pair<String, String> userAndPasswordPair = getUserAndPasswordPair(secretName);
            return DriverManager.getConnection(jdbcUrl, userAndPasswordPair.getKey(), userAndPasswordPair.getValue());
        }
    
        // Obtain the connection string of the Microsoft SQL Server instance by using the obtained secret. 
        public static Connection getMSSQLConnectionBySecret(String secretName, String jdbcUrl) throws ClassNotFoundException, SQLException, ClientException {
            Class.forName(MSSQL_JDBC_DRIVER);
            Pair<String, String> userAndPasswordPair = getUserAndPasswordPair(secretName);
            return DriverManager.getConnection(jdbcUrl, userAndPasswordPair.getKey(), userAndPasswordPair.getValue());
        }
    
        // Obtain the account and password of the account that is used to connect to the database from the obtained secret. 
        private static Pair<String, String> getUserAndPasswordPair(String secretName) throws ClientException {
            final GetSecretValueRequest request = new GetSecretValueRequest();
            request.setProtocol(ProtocolType.HTTPS);
            request.setAcceptFormat(FormatType.JSON);
            request.setMethod(MethodType.POST);
            request.setSecretName(secretName);
            GetSecretValueResponse response = kmsClient.acsClient.getAcsResponse(request);
            JSONObject secretDataJSON = JSON.parseObject(response.getSecretData());
            return Pair.of(secretDataJSON.getString("AccountName"), secretDataJSON.getString("AccountPassword"));
        }
    }