If you install Secrets Manager Client, your applications can use the secrets that are managed in Secrets Manager. This way, you do not need to hard code secrets in application code. This topic describes how to install and use Secrets Manager Client.

Features

Secrets Manager Client encapsulates business logic, best practices, and design patterns based on Secrets Manager API. This way, you can easily integrate the capabilities of Secrets Manager into business systems. Secrets Manager Client provides the following features:
  • Allows you to integrate the capabilities of Secrets Manager into applications. You can use a single line of code to read secret information.
  • Allows you to cache and refresh secrets in applications.
  • Encapsulates the API error-based retry mechanism to intelligently handle reported errors.
  • Provides a plug-in design mode that allows you to customize features such as extended cache and error retry.

Sample code of Alibaba Cloud SDK for Java

For more information about how to install Secrets Manager Client and the source code of Secrets Manager Client, visit Open source code repository of Secrets Manager Client for Java.

  1. Install Secrets Manager Client by using Maven.
    <dependency>
        <groupId>com.aliyun</groupId>
        <artifactId>alibabacloud-secretsmanager-client</artifactId>
        <version>x.x.x</version>
    </dependency>
    Note Make sure that the version of Secrets Manager Client is 1.3.2 or later.
  2. You can configure the parameters for Secrets Manager Client in the configuration file secretsmanager.properties.
    The configuration file secretsmanager.properties contains the parameters for Secrets Manager JDBC. The required configuration item is cache_client_dkms_config_info. The configuration item cache_client_dkms_config_info is a JSON array. You can configure multiple Key Management Service (KMS) instances to provide high availability and disaster recovery capabilities. The following table describes the elements in the array.
    ElementDescription
    regionIdThe region where the KMS instance resides.
    endpointThe virtual private cloud (VPC) address of the KMS instance.
    clientKeyFileThe absolute or relative path to the client key file in the JSON format.
    passwordFromFilePath or passwordFromEnvVariable
    • passwordFromFilePath: The password of the client key file is obtained from a file. The value is a string. The string indicates the absolute or relative path to a file that contains the password of the client key file.
    • passwordFromEnvVariable: The password of the client key file is obtained from an environment variable. The value is a string. The string indicates the name of an environment variable that contains the password of the client key file.
    ignoreSslCertsSpecifies whether to ignore the SSL certificate. Valid values:
    • true: yes
    • false: no
    caFilePathThe absolute or relative path to the certificate authority (CA) certificate file of the KMS instance.
    • Method 1: Obtain the password of the client key file from a file. The following sample code shows the content of the configuration file secretsmanager.properties:
      cache_client_dkms_config_info=[{"regionId":"<your dkms region>","endpoint":"<your dkms endpoint>","passwordFromFilePath":"< your password file path >","clientKeyFile":"<your client key file path>","ignoreSslCerts":false,"caFilePath":"<your CA certificate file path>"}]
    • Method 2: Obtain the password of the client key file from an environment variable. The following sample code shows the content of the configuration file secretsmanager.properties:
      cache_client_dkms_config_info=[{"regionId":"<your dkms region>","endpoint":"<your dkms endpoint>","passwordFromEnvVariable":"<your_password_env_variable>","clientKeyFile":"<your client key file path>","ignoreSslCerts":false,"caFilePath":"<your CA certificate file path>"}]
      Note You must also specify the environment variable. The name of the environment variable is specified by passwordFromEnvVariable, and the value of the environment variable is the password of the client key file.
  3. Construct and use Secrets Manager Client.
    import com.aliyuncs.kms.secretsmanager.client.SecretCacheClient;
    import com.aliyuncs.kms.secretsmanager.client.SecretCacheClientBuilder;
    import com.aliyuncs.kms.secretsmanager.client.exception.CacheSecretException;
    import com.aliyuncs.kms.secretsmanager.client.model.SecretInfo;
    
    public class CacheClientEnvironmentSample {
    
        public static void main(String[] args) {
            try {
                // Construct Secrets Manager Client.
                SecretCacheClient client = SecretCacheClientBuilder.newClient();
                // Use Secrets Manager Client to obtain the secret information.
                SecretInfo secretInfo = client.getSecretInfo("#secretName#");
                System.out.println(secretInfo);
            } catch (CacheSecretException e) {
                e.printStackTrace();
            }
        }
    }

Sample code of Alibaba Cloud SDK for Python

For more information about how to install Secrets Manager Client and the source code of Secrets Manager Client, visit Open source code repository of Secrets Manager Client for Python.

  1. Run the pip command to install Secrets Manager Client.
    pip install aliyun-secret-manager-client
  2. You can configure the parameters for Secrets Manager Client in the configuration file secretsmanager.properties.
    The configuration file secretsmanager.properties contains the parameters for Secrets Manager JDBC. The required configuration item is cache_client_dkms_config_info. The configuration item cache_client_dkms_config_info is a JSON array. You can configure multiple Key Management Service (KMS) instances to provide high availability and disaster recovery capabilities. The following table describes the elements in the array.
    ElementDescription
    regionIdThe region where the KMS instance resides.
    endpointThe virtual private cloud (VPC) address of the KMS instance.
    clientKeyFileThe absolute or relative path to the client key file in the JSON format.
    passwordFromFilePath or passwordFromEnvVariable
    • passwordFromFilePath: The password of the client key file is obtained from a file. The value is a string. The string indicates the absolute or relative path to a file that contains the password of the client key file.
    • passwordFromEnvVariable: The password of the client key file is obtained from an environment variable. The value is a string. The string indicates the name of an environment variable that contains the password of the client key file.
    ignoreSslCertsSpecifies whether to ignore the SSL certificate. Valid values:
    • true: yes
    • false: no
    caFilePathThe absolute or relative path to the certificate authority (CA) certificate file of the KMS instance.
    • Method 1: Obtain the password of the client key file from a file. The following sample code shows the content of the configuration file secretsmanager.properties:
      cache_client_dkms_config_info=[{"regionId":"<your dkms region>","endpoint":"<your dkms endpoint>","passwordFromFilePath":"< your password file path >","clientKeyFile":"<your client key file path>","ignoreSslCerts":false,"caFilePath":"<your CA certificate file path>"}]
    • Method 2: Obtain the password of the client key file from an environment variable. The following sample code shows the content of the configuration file secretsmanager.properties:
      cache_client_dkms_config_info=[{"regionId":"<your dkms region>","endpoint":"<your dkms endpoint>","passwordFromEnvVariable":"<your_password_env_variable>","clientKeyFile":"<your client key file path>","ignoreSslCerts":false,"caFilePath":"<your CA certificate file path>"}]
      Note You must also specify the environment variable. The name of the environment variable is specified by passwordFromEnvVariable, and the value of the environment variable is the password of the client key file.
  3. Construct and use Secrets Manager Client.
    from alibaba_cloud_secretsmanager_client.secret_manager_cache_client_builder import SecretManagerCacheClientBuilder
    
    if __name__ == '__main__':
        // Construct Secrets Manager Client.
        secret_cache_client = SecretManagerCacheClientBuilder.new_client()
        // Use Secrets Manager Client to obtain the secret information.
        secret_info = secret_cache_client.get_secret_info("#secretName#")
        print(secret_info.__dict__)

Sample code of Alibaba Cloud SDK for Go

For more information about how to install Secrets Manager Client and the source code of Secrets Manager Client, visit Open source code repository of Secrets Manager Client for Go.

  1. Run the go get command to use Secrets Manager Client in your project.
    go get -u github.com/aliyun/aliyun-secretsmanager-client-go
  2. You can configure the parameters for Secrets Manager Client in the configuration file secretsmanager.properties.
    The configuration file secretsmanager.properties contains the parameters for Secrets Manager JDBC. The required configuration item is cache_client_dkms_config_info. The configuration item cache_client_dkms_config_info is a JSON array. You can configure multiple Key Management Service (KMS) instances to provide high availability and disaster recovery capabilities. The following table describes the elements in the array.
    ElementDescription
    regionIdThe region where the KMS instance resides.
    endpointThe virtual private cloud (VPC) address of the KMS instance.
    clientKeyFileThe absolute or relative path to the client key file in the JSON format.
    passwordFromFilePath or passwordFromEnvVariable
    • passwordFromFilePath: The password of the client key file is obtained from a file. The value is a string. The string indicates the absolute or relative path to a file that contains the password of the client key file.
    • passwordFromEnvVariable: The password of the client key file is obtained from an environment variable. The value is a string. The string indicates the name of an environment variable that contains the password of the client key file.
    ignoreSslCertsSpecifies whether to ignore the SSL certificate. Valid values:
    • true: yes
    • false: no
    caFilePathThe absolute or relative path to the certificate authority (CA) certificate file of the KMS instance.
    • Method 1: Obtain the password of the client key file from a file. The following sample code shows the content of the configuration file secretsmanager.properties:
      cache_client_dkms_config_info=[{"regionId":"<your dkms region>","endpoint":"<your dkms endpoint>","passwordFromFilePath":"< your password file path >","clientKeyFile":"<your client key file path>","ignoreSslCerts":false,"caFilePath":"<your CA certificate file path>"}]
    • Method 2: Obtain the password of the client key file from an environment variable. The following sample code shows the content of the configuration file secretsmanager.properties:
      cache_client_dkms_config_info=[{"regionId":"<your dkms region>","endpoint":"<your dkms endpoint>","passwordFromEnvVariable":"<your_password_env_variable>","clientKeyFile":"<your client key file path>","ignoreSslCerts":false,"caFilePath":"<your CA certificate file path>"}]
      Note You must also specify the environment variable. The name of the environment variable is specified by passwordFromEnvVariable, and the value of the environment variable is the password of the client key file.
  3. Construct and use Secrets Manager Client.
    package main
    
    import (
        "fmt"
        "github.com/aliyun/aliyun-secretsmanager-client-go/sdk"
    )
    func main() { 
       // Construct Secrets Manager Client.
        client, err := sdk.NewClient()
        if err != nil {
            // Handle exceptions
            panic(err)
        }
       // Use Secrets Manager Client to obtain the secret information.
        secretInfo, err := client.GetSecretInfo("#secretName#")
        if err != nil {
            // Handle exceptions
            panic(err)
        }
        fmt.Printf("SecretValue:%s\n",secretInfo.SecretValue)
    }