All Products
Search
Document Center

Key Management Service:Connect an application to Secrets Manager

Last Updated:Jun 15, 2023

You can connect an application to Secrets Manager by using multiple methods. Then, the application can use dynamic secrets.

Methods

The following table describes the methods that you can use to connect an application to Secrets Manager.

Method

Description

Scenario

KMS SDK

KMS SDK allows you to construct HTTPS requests to make better use of the KMS API.

  • Query secret values at a less frequent rate.

  • Create or delete secrets, or add new versions of secret values.

Secrets Manager Client

Secrets Manager Client allows you to configure the frequency at which Secrets Manager Client obtains secrets from Secrets Manager and refreshes the cache.

  • Query secret values on a client at regular intervals or at a frequent rate.

  • Perform operations related to secret values.

Secrets Manager JDBC

Secrets Manager JDBC allows you to use secrets that are managed in Secrets Manager by establishing Java Database Connectivity (JDBC) connections.

Use dynamic ApsaraDB RDS secrets and Java programs to access databases. For more information, see Overview of Dynamic ApsaraDB RDS secrets.

Managed secret plug-in for Alibaba Cloud SDKs

The managed secret plug-in for Alibaba Cloud SDKs allows you to use dynamic Resource Access Management (RAM) secrets to access Alibaba Cloud services in a more efficient manner.

Use dynamic RAM secrets to access Alibaba Cloud services. For more information, see Overview of Dynamic RAM secrets.

Secrets Manager Kubernetes plug-in

The Secrets Manager Kubernetes plug-in allows you to integrate Secrets Manager with your system in a quick and codeless manner.

Update configurations in a codeless manner at regular intervals.

Use KMS SDK

The following example shows how to use KMS SDK for Java and use dynamic ApsaraDB RDS secrets in an application. If you use other types of secrets instead of dynamic ApsaraDB RDS secrets, you can also use this method.

  1. Obtain the dependency declaration of KMS SDK for Java.

    For more information about the required SDK versions, see SDK overview. Sample statements:

     <dependency>
        <groupId>com.aliyun</groupId>
        <artifactId>aliyun-java-sdk-core</artifactId>
        <version>4.5.16</version>
      </dependency>
      <dependency>
        <groupId>com.aliyun</groupId>
        <artifactId>aliyun-java-sdk-kms</artifactId>
        <version>2.12.0</version>
      </dependency>
      <dependency>
        <groupId>org.apache.commons</groupId>
        <artifactId>commons-lang3</artifactId>
        <version>3.4</version>
      </dependency> 
  2. Connect an application to Secrets Manager to obtain the username and password of the account that is used to connect to a database. Then, establish a connection to the database.

    Note

    The AccessKey pair of an Alibaba Cloud account has permissions on all API operations. Using the AccessKey pair to perform operations is a high-risk operation. We recommend that you use a RAM user to call API operations or perform routine O&M. We recommend that you do not save the AccessKey ID and AccessKey secret in your project code. Otherwise, the AccessKey pair may be leaked and the security of all resources within your account may be compromised.

    In this example, the AccessKey pair is saved in ALIBABA_CLOUD_ACCESS_KEY_ID and ALIBABA_CLOUD_ACCESS_KEY_SECRET environment variables to implement identity authentication. For more information about how to configure authentication information, see Credentials.

    Sample code:

    package com.aliyun.kms.samples;
    
    import java.util.Map;
    import com.google.gson.Gson;
    import com.aliyuncs.DefaultAcsClient;
    import com.aliyuncs.exceptions.ClientException;
    import com.aliyuncs.http.FormatType;
    import com.aliyuncs.http.MethodType;
    import com.aliyuncs.http.ProtocolType;
    import com.aliyuncs.kms.model.v20160120.GetSecretValueRequest;
    import com.aliyuncs.kms.model.v20160120.GetSecretValueResponse;
    import com.aliyuncs.profile.DefaultProfile;
    import com.aliyuncs.profile.IClientProfile;
    import org.apache.commons.lang3.tuple.Pair;
    
    import java.sql.Connection;
    import java.sql.DriverManager;
    import java.sql.SQLException;
    
    public class RdsSecretSampleCode {
    
        private static final String MYSQL_JDBC_DRIVER = "com.mysql.jdbc.Driver";
        private static final String MSSQL_JDBC_DRIVER = "com.microsoft.sqlserver.jdbc.SQLServerDriver";
    
        private static KmsClient kmsClient;
    
        static {
            kmsClient = KmsClient.getKMSClient("<regionId>", System.getenv("ALIBABA_CLOUD_ACCESS_KEY_ID"), System.getenv("ALIBABA_CLOUD_ACCESS_KEY_SECRET"));
        }
    
        static class KmsClient {
            private DefaultAcsClient acsClient;
    
            private KmsClient(DefaultAcsClient acsClient) {
                this.acsClient = acsClient;
            }
    
            private static KmsClient getKMSClient(String regionId, String accessKeyId, String accessKeySecret) {
                IClientProfile profile = DefaultProfile.getProfile(regionId, accessKeyId, accessKeySecret);
                DefaultAcsClient client = new DefaultAcsClient(profile);
                return new KmsClient(client);
            }
        }
    
        // Obtain the connection string of a database that is created on an ApsaraDB RDS for MySQL instance by using the obtained secret. 
        public static Connection getMySQLConnectionBySecret(String secretName, String jdbcUrl) throws ClassNotFoundException, SQLException, ClientException {
            Class.forName(MYSQL_JDBC_DRIVER);
            Pair<String, String> userAndPasswordPair = getUserAndPasswordPair(secretName);
            return DriverManager.getConnection(jdbcUrl, userAndPasswordPair.getKey(), userAndPasswordPair.getValue());
        }
    
        // Obtain the connection string of a database that is created on a Microsoft SQL Server instance by using the obtained secret. 
        public static Connection getMSSQLConnectionBySecret(String secretName, String jdbcUrl) throws ClassNotFoundException, SQLException, ClientException {
            Class.forName(MSSQL_JDBC_DRIVER);
            Pair<String, String> userAndPasswordPair = getUserAndPasswordPair(secretName);
            return DriverManager.getConnection(jdbcUrl, userAndPasswordPair.getKey(), userAndPasswordPair.getValue());
        }
    
        // Obtain the username and password of the account that is used to connect to the database from the obtained secret. 
        private static Pair<String, String> getUserAndPasswordPair(String secretName) throws ClientException {
            final GetSecretValueRequest request = new GetSecretValueRequest();
            request.setProtocol(ProtocolType.HTTPS);
            request.setAcceptFormat(FormatType.JSON);
            request.setMethod(MethodType.POST);
            request.setSecretName(secretName);
            GetSecretValueResponse response = kmsClient.acsClient.getAcsResponse(request);
            Map<String,String> map = new Gson().fromJson(response.getSecretData(), Map.class);
            return Pair.of(map.get("AccountName"), map.get("AccountPassword"));
        }
    }