You can connect an application to Secrets Manager by using multiple methods. Then, the application can use dynamic secrets.

Methods

The following table describes the methods that you can use to connect an application to Secrets Manager.

Method Description Scenario
KMS SDK KMS SDKs allow you to construct HTTPS requests to make better use of the KMS API.
  • Obtain secret values at a less frequent rate.
  • Create or delete secrets, or add new versions of secret values.
Secrets Manager Client Secrets Manager Client allows you to configure the frequency at which Secrets Manager Client obtains secrets from Secrets Manager and refreshes the cache.
  • Obtain secret values on a client at regular intervals or at a frequent rate.
  • Perform operations related to secret values.
Secrets Manager JDBC Secrets Manager JDBC allows you to use secrets that are managed in Secrets Manager by establishing Java Database Connectivity (JDBC) connections. Use dynamic ApsaraDB RDS secrets and Java programs to access databases. For more information, see Overview.
Managed secret plug-ins for Alibaba Cloud SDKs Managed secret plug-ins for Alibaba Cloud SDKs allow you to use dynamic Resource Access Management (RAM) secrets to access Alibaba Cloud services in a more efficient manner. Use dynamic RAM secrets to access Alibaba Cloud services. For more information, see Overview.
Secrets Manager Kubernetes plug-in The Secrets Manager Kubernetes plug-in allows you to integrate Secrets Manager with your system in a quick and codeless manner. Update configurations in a codeless manner at regular intervals.

Use KMS SDKs

The following example shows how to use KMS SDK for Java and use dynamic ApsaraDB RDS secrets in an application. If you use other types of secrets instead of dynamic ApsaraDB RDS secrets, you can also use this method.

  1. Obtain the dependency declaration of KMS SDK for Java.
    For more information about the required SDK versions, see SDK overview. Example:
     <dependency>
        <groupId>com.aliyun</groupId>
        <artifactId>aliyun-java-sdk-core</artifactId>
        <version>4.5.16</version>
      </dependency>
      <dependency>
        <groupId>com.aliyun</groupId>
        <artifactId>aliyun-java-sdk-kms</artifactId>
        <version>2.12.0</version>
      </dependency>
      <dependency>
        <groupId>com.alibaba</groupId>
        <artifactId>fastjson</artifactId>
        <version>1.2.9</version>
      </dependency>
      <dependency>
        <groupId>org.apache.commons</groupId>
        <artifactId>commons-lang3</artifactId>
        <version>3.4</version>
      </dependency> 
  2. Connect an application to Secrets Manager to obtain the username and password of the account that is used to connect to a database. Then, establish a connection to the database.
    Example:
    package com.aliyun.kms.samples;
    
    import com.alibaba.fastjson.JSON;
    import com.alibaba.fastjson.JSONObject;
    import com.aliyuncs.DefaultAcsClient;
    import com.aliyuncs.exceptions.ClientException;
    import com.aliyuncs.http.FormatType;
    import com.aliyuncs.http.MethodType;
    import com.aliyuncs.http.ProtocolType;
    import com.aliyuncs.kms.model.v20160120.GetSecretValueRequest;
    import com.aliyuncs.kms.model.v20160120.GetSecretValueResponse;
    import com.aliyuncs.profile.DefaultProfile;
    import com.aliyuncs.profile.IClientProfile;
    import org.apache.commons.lang3.tuple.Pair;
    
    import java.sql.Connection;
    import java.sql.DriverManager;
    import java.sql.SQLException;
    
    public class RdsSecretSampleCode {
    
        private static final String MYSQL_JDBC_DRIVER = "com.mysql.jdbc.Driver";
        private static final String MSSQL_JDBC_DRIVER = "com.microsoft.sqlserver.jdbc.SQLServerDriver";
    
        private static KmsClient kmsClient;
    
        static {
            kmsClient = KmsClient.getKMSClient("<regionId>", "<accessKeyId>", "<accessKeySecret>");
        }
    
        static class KmsClient {
            private DefaultAcsClient acsClient;
    
            private KmsClient(DefaultAcsClient acsClient) {
                this.acsClient = acsClient;
            }
    
            private static KmsClient getKMSClient(String regionId, String accessKeyId, String accessKeySecret) {
                IClientProfile profile = DefaultProfile.getProfile(regionId, accessKeyId, accessKeySecret);
                DefaultAcsClient client = new DefaultAcsClient(profile);
                return new KmsClient(client);
            }
        }
    
        // Obtain the connection string of a database that is created on an ApsaraDB RDS for MySQL instance by using the obtained secret. 
        public static Connection getMySQLConnectionBySecret(String secretName, String jdbcUrl) throws ClassNotFoundException, SQLException, ClientException {
            Class.forName(MYSQL_JDBC_DRIVER);
            Pair<String, String> userAndPasswordPair = getUserAndPasswordPair(secretName);
            return DriverManager.getConnection(jdbcUrl, userAndPasswordPair.getKey(), userAndPasswordPair.getValue());
        }
    
        // Obtain the connection string of a database that is created on a Microsoft SQL Server instance by using the obtained secret. 
        public static Connection getMSSQLConnectionBySecret(String secretName, String jdbcUrl) throws ClassNotFoundException, SQLException, ClientException {
            Class.forName(MSSQL_JDBC_DRIVER);
            Pair<String, String> userAndPasswordPair = getUserAndPasswordPair(secretName);
            return DriverManager.getConnection(jdbcUrl, userAndPasswordPair.getKey(), userAndPasswordPair.getValue());
        }
    
        // Obtain the username and password of the account that is used to connect to the database from the obtained secret. 
        private static Pair<String, String> getUserAndPasswordPair(String secretName) throws ClientException {
            final GetSecretValueRequest request = new GetSecretValueRequest();
            request.setProtocol(ProtocolType.HTTPS);
            request.setAcceptFormat(FormatType.JSON);
            request.setMethod(MethodType.POST);
            request.setSecretName(secretName);
            GetSecretValueResponse response = kmsClient.acsClient.getAcsResponse(request);
            JSONObject secretDataJSON = JSON.parseObject(response.getSecretData());
            return Pair.of(secretDataJSON.getString("AccountName"), secretDataJSON.getString("AccountPassword"));
        }
    }