All Products
Search
Document Center

Key Management Service:Secrets Manager Client

Last Updated:Jun 15, 2023

Secrets Manager Client encapsulates business logic, best practices, and design patterns by calling Secrets Manager-related operations. This allows you to easily integrate the capabilities of Secrets Manager into business systems. Secrets Manager Client allows you to dynamically use the secrets that are managed in Secrets Manager. This way, you no longer need to hard code sensitive data.

Features

Secrets Manager Client provides the following features:

  • Allows you to integrate the capabilities of Secrets Manager into applications. You can use a single line of code to read secret information.

  • Allows you to cache and refresh secrets in applications.

  • Encapsulates the API error-based retry mechanism to intelligently handle reported errors.

  • Provides a plug-in design mode to allow you to customize features such as extended cache and error retry.

Secrets Manager Client for Java

Install a client

Key Management Service (KMS) provides Secrets Manager Client for Java. For more information about the source code of the client, visit alibabacloud-secretsmanager-client-java.

You can install Secrets Manager Client for Java by adding the following Maven dependency:

<dependency>
    <groupId>com.aliyun</groupId>
    <artifactId>alibabacloud-secretsmanager-client</artifactId>
    <version>x.x.x</version>
</dependency>
Note

For more information about the versions of Secrets Manager Client for Java, visit alibabacloud-secretsmanager-client release.

Sample code

Note

The AccessKey pair of an Alibaba Cloud account has permissions on all API operations. Using the AccessKey pair to perform operations is a high-risk operation. We recommend that you use a RAM user to call API operations or perform routine O&M. We recommend that you do not save the AccessKey ID and AccessKey secret in your project code. Otherwise, the AccessKey pair may be leaked and the security of all resources within your account may be compromised.

In this example, the AccessKey pair is saved in ALIBABA_CLOUD_ACCESS_KEY_ID and ALIBABA_CLOUD_ACCESS_KEY_SECRET environment variables to implement identity authentication. For more information about how to configure authentication information, see Credentials.

  • Construct a client by using the secretsmanager.properties configuration file

    We recommend that you create a client key-based application access point (AAP) and use the client key to call Secrets Manager SDK for Java. For more information about how to create a client key, see Bind a client key to the AAP.

    Secrets Manager Client for Java 1.1.8 or a later version allows you to access Secrets Manager by using client key-based AAPs. In this case, you must prepare the following configuration file:

    ## Specify the access method. 
    credentials_type=client_key
    
    ## Read the decryption password of the client key. You can read the password from an environment variable or a file. 
    client_key_password_from_env_variable=#your client key private key password environment variable name#
    client_key_password_from_file_path=#your client key private key password file path#
    
    ## Obtain the private key file of the client key. 
    client_key_private_key_path=#your client key private key file path#
    
    ## Specify the region of KMS. 
    cache_client_region_id=[{"regionId":"#regionId#"}]

    Sample code:

    import com.aliyuncs.kms.secretsmanager.client.SecretCacheClient;
    import com.aliyuncs.kms.secretsmanager.client.SecretCacheClientBuilder;
    import com.aliyuncs.kms.secretsmanager.client.exception.CacheSecretException;
    import com.aliyuncs.kms.secretsmanager.client.model.SecretInfo;
    
    public class CacheClientEnvironmentSample {
    
        public static void main(String[] args) {
            try {
                SecretCacheClient client = SecretCacheClientBuilder.newClient();
                SecretInfo secretInfo = client.getSecretInfo("#secretName#");
                System.out.println(secretInfo);
            } catch (CacheSecretException e) {
                e.printStackTrace();
            }
        }
    }
  • Construct a client by using parameters such as the AccessKey ID, AccessKey secret, and region ID

    import com.aliyuncs.kms.secretsmanager.client.SecretCacheClient;
    import com.aliyuncs.kms.secretsmanager.client.SecretCacheClientBuilder;
    import com.aliyuncs.kms.secretsmanager.client.exception.CacheSecretException;
    import com.aliyuncs.kms.secretsmanager.client.model.SecretInfo;
    import com.aliyuncs.kms.secretsmanager.client.service.BaseSecretManagerClientBuilder;
    import com.aliyuncs.kms.secretsmanager.client.utils.CredentialsProviderUtils;
    
    public class CacheClientSimpleParametersSample {
    
        public static void main(String[] args) {
            try {
                SecretCacheClient client = SecretCacheClientBuilder.newCacheClientBuilder(
                        BaseSecretManagerClientBuilder.standard().withCredentialsProvider(CredentialsProviderUtils
                                .withAccessKey(System.getenv("ALIBABA_CLOUD_ACCESS_KEY_ID"), System.getenv("ALIBABA_CLOUD_ACCESS_KEY_SECRET"))).withRegion("#regionId#").build()).build();
                SecretInfo secretInfo = client.getSecretInfo("#secretName#");
                System.out.println(secretInfo);
            } catch (CacheSecretException e) {
                e.printStackTrace();
            }
        }
    }
  • Construct a client by using custom parameters

    import com.aliyuncs.kms.secretsmanager.client.SecretCacheClient;
    import com.aliyuncs.kms.secretsmanager.client.SecretCacheClientBuilder;
    import com.aliyuncs.kms.secretsmanager.client.cache.FileCacheSecretStoreStrategy;
    import com.aliyuncs.kms.secretsmanager.client.exception.CacheSecretException;
    import com.aliyuncs.kms.secretsmanager.client.model.SecretInfo;
    import com.aliyuncs.kms.secretsmanager.client.service.BaseSecretManagerClientBuilder;
    import com.aliyuncs.kms.secretsmanager.client.service.DefaultRefreshSecretStrategy;
    import com.aliyuncs.kms.secretsmanager.client.service.FullJitterBackoffStrategy;
    import com.aliyuncs.kms.secretsmanager.client.utils.CredentialsProviderUtils;
    
    public class CacheClientDetailParametersSample {
    
        public static void main(String[] args) {
            try {
                SecretCacheClient client = SecretCacheClientBuilder.newCacheClientBuilder(BaseSecretManagerClientBuilder.standard()
                        .withCredentialsProvider(CredentialsProviderUtils.withAccessKey(System.getenv("ALIBABA_CLOUD_ACCESS_KEY_ID"), System.getenv("ALIBABA_CLOUD_ACCESS_KEY_SECRET")))
                        .withRegion("#regionId#")
                        .withBackoffStrategy(new FullJitterBackoffStrategy(3, 2000, 10000)).build())
                        .withCacheSecretStrategy(new FileCacheSecretStoreStrategy("#cacheSecretPath#", true, "#salt#"))
                        .withRefreshSecretStrategy(new DefaultRefreshSecretStrategy("#ttlName#"))
                        .withCacheStage("#stage#")
                        .withSecretTTL("#secretName#", 1 * 60 * 1000l)
                        .withSecretTTL("#secretName1#", 2 * 60 * 1000l).build();
                SecretInfo secretInfo = client.getSecretInfo("#secretName#");
                System.out.println(secretInfo);
            } catch (CacheSecretException e) {
                e.printStackTrace();
            }
        }
    }

Secrets Manager Client for Python

Install a client

KMS provides Secrets Manager Client for Python. For more information about the source code of the client, visit aliyun-secretsmanager-client-python.

You can run the following pip command to install Secrets Manager Client for Python in your project:

pip install aliyun-secret-manager-client
Note

For more information about the versions of Secrets Manager Client for Python, visit aliyun-secretsmanager-client-python.

Sample code

Note

The AccessKey pair of an Alibaba Cloud account has permissions on all API operations. Using the AccessKey pair to perform operations is a high-risk operation. We recommend that you use a RAM user to call API operations or perform routine O&M. We recommend that you do not save the AccessKey ID and AccessKey secret in your project code. Otherwise, the AccessKey pair may be leaked and the security of all resources within your account may be compromised.

In this example, the AccessKey pair is saved in ALIBABA_CLOUD_ACCESS_KEY_ID and ALIBABA_CLOUD_ACCESS_KEY_SECRET environment variables to implement identity authentication. For more information about how to configure authentication information, see Instantiate a client and configure a credential.

  • Construct a client by using environment variables

    from alibaba_cloud_secretsmanager_client.secret_manager_cache_client_builder import SecretManagerCacheClientBuilder
    
    if __name__ == '__main__':
        secret_cache_client = SecretManagerCacheClientBuilder.new_client()
        secret_info = secret_cache_client.get_secret_info("#secretName#")
        print(secret_info.__dict__)
  • Construct a client by using parameters such as the AccessKey ID, AccessKey secret, and region ID

    from alibaba_cloud_secretsmanager_client.secret_manager_cache_client_builder import SecretManagerCacheClientBuilder
    from alibaba_cloud_secretsmanager_client.service.default_secret_manager_client_builder import DefaultSecretManagerClientBuilder
    
    if __name__ == '__main__':
        secret_cache_client = SecretManagerCacheClientBuilder.new_cache_client_builder(DefaultSecretManagerClientBuilder.standard() \
            .with_access_key(os.getenv("ALIBABA_CLOUD_ACCESS_KEY_ID"), os.getenv("ALIBABA_CLOUD_ACCESS_KEY_SECRET")) \
            .with_region("#regionId#").build()) \
        .build();
        secret_info = secret_cache_client.get_secret_info("#secretName#")
        print(secret_info.__dict__)
  • Construct a client by using custom parameters

    from alibaba_cloud_secretsmanager_client.secret_manager_cache_client_builder import SecretManagerCacheClientBuilder
    from alibaba_cloud_secretsmanager_client.cache.file_cache_secret_store_strategy import FileCacheSecretStoreStrategy
    from alibaba_cloud_secretsmanager_client.service.default_secret_manager_client_builder import DefaultSecretManagerClientBuilder
    from alibaba_cloud_secretsmanager_client.service.default_refresh_secret_strategy import DefaultRefreshSecretStrategy
    from alibaba_cloud_secretsmanager_client.service.full_jitter_back_off_strategy import FullJitterBackoffStrategy
    
    if __name__ == '__main__':
        secret_cache_client = SecretManagerCacheClientBuilder \
        .new_cache_client_builder(DefaultSecretManagerClientBuilder.standard().with_access_key(os.getenv("ALIBABA_CLOUD_ACCESS_KEY_ID"), os.getenv("ALIBABA_CLOUD_ACCESS_KEY_SECRET")) \
             .with_back_off_strategy(FullJitterBackoffStrategy(3, 2000, 10000)) \
             .with_region("#regionId#").build()) \
         .with_cache_secret_strategy(FileCacheSecretStoreStrategy("#cacheSecretPath#", True,"#salt#")) \
         .with_refresh_secret_strategy(DefaultRefreshSecretStrategy("#ttlName#")) \
         .with_cache_stage("#stage#") \
         .with_secret_ttl("#secretName#", 1 * 60 * 1000) \
         .build()
        secret_info = secret_cache_client.get_secret_info("#secretName#")
        print(secret_info.__dict__)

Secrets Manager Client for Go

Install a client

KMS provides Secrets Manager Client for Go. For more information about the source code of the client, visit aliyun-secretsmanager-client-go.

You can run the following command to install Secrets Manager Client for Go in your project:

 go get -u github.com/aliyun/aliyun-secretsmanager-client-go
Note

For more information about the versions of Secrets Manager Client for Go, visit aliyun-secretsmanager-client-go.

Sample code

Note

The AccessKey pair of an Alibaba Cloud account has permissions on all API operations. Using the AccessKey pair to perform operations is a high-risk operation. We recommend that you use a RAM user to call API operations or perform routine O&M. We recommend that you do not save the AccessKey ID and AccessKey secret in your project code. Otherwise, the AccessKey pair may be leaked and the security of all resources within your account may be compromised.

In this example, the AccessKey pair is saved in ALIBABA_CLOUD_ACCESS_KEY_ID and ALIBABA_CLOUD_ACCESS_KEY_SECRET environment variables to implement identity authentication. For more information about how to configure authentication information, see Instantiate a client and configure a credential.

  • Construct a client by using the secretsmanager.properties configuration file

    We recommend that you create a client key-based AAP and use the client key to call Secrets Manager SDK for Java. For more information about how to create a client key, see Bind a client key to the AAP.

    Secrets Manager Client for Go 1.0.1 or a later version allows you to access Secrets Manager by using client key-based AAPs. In this case, you must prepare the following configuration file:

    ## Specify the access method. 
    credentials_type=client_key
    
    ## Read the decryption password of the client key. You can read the password from an environment variable or a file. 
    client_key_password_from_env_variable=#your client key private key password environment variable name#
    client_key_password_from_file_path=#your client key private key password file path#
    
    ## Obtain the private key file of the client key. 
    client_key_private_key_path=#your client key private key file path#
    
    ## Specify the region of KMS. 
    cache_client_region_id=[{"regionId":"#regionId#"}]

    Sample code:

    package main
    
    import (
        "fmt"
        "github.com/aliyun/aliyun-secretsmanager-client-go/sdk"
    )
    
    func main() {
        client, err := sdk.NewClient()
        if err != nil {
            // Handle exceptions
            panic(err)
        }
        secretInfo, err := client.GetSecretInfo("#secretName#")
        if err != nil {
            // Handle exceptions
            panic(err)
        }
        fmt.Printf("SecretValue:%s\n",secretInfo.SecretValue)
    }
  • Construct a client by using parameters such as the AccessKey ID, AccessKey secret, and region ID

    package main
    
    import (
        "fmt"
        "github.com/aliyun/aliyun-secretsmanager-client-go/sdk/service"
        "github.com/aliyun/aliyun-secretsmanager-client-go/sdk"
    )
    
    func main() {
        client, err := sdk.NewSecretCacheClientBuilder(service.NewDefaultSecretManagerClientBuilder().Standard().WithAccessKey(os.Getenv("ALIBABA_CLOUD_ACCESS_KEY_ID"), os.Getenv("ALIBABA_CLOUD_ACCESS_KEY_SECRET")).WithRegion("#regionId#").Build()).Build()
        if err != nil {
            // Handle exceptions
            panic(err)
        }
        secretInfo, err := client.GetSecretInfo("#secretName#")
        if err != nil {
            // Handle exceptions
            panic(err)
        }
        fmt.Printf("SecretValue:%s\n",secretInfo.SecretValue)
    }
  • Construct a client by using custom parameters

    package main
    
    import (
        "fmt"
        "github.com/aliyun/aliyun-secretsmanager-client-go/sdk/service"
        "github.com/aliyun/aliyun-secretsmanager-client-go/sdk"
        "github.com/aliyun/aliyun-secretsmanager-client-go/sdk/cache"
    )
    
    func main() {
        client, err := sdk.NewSecretCacheClientBuilder(
            service.NewDefaultSecretManagerClientBuilder().Standard().WithAccessKey(os.Getenv("ALIBABA_CLOUD_ACCESS_KEY_ID"), os.Getenv("ALIBABA_CLOUD_ACCESS_KEY_SECRET")).WithRegion("#regionId#").WithBackoffStrategy(&service.FullJitterBackoffStrategy{RetryMaxAttempts: 3, RetryInitialIntervalMills: 2000, Capacity: 10000}).Build()).WithCacheSecretStrategy(cache.NewFileCacheSecretStoreStrategy("#cacheSecretPath#", true, "#salt#")).WithRefreshSecretStrategy(service.NewDefaultRefreshSecretStrategy("#jsonTTLPropertyName#")).WithCacheStage("ACSCurrent").WithSecretTTL("#secretName#", 1*60*1000).Build()
        if err != nil {
            // Handle exceptions
            panic(err)
        }
        secretInfo, err := client.GetSecretInfo("#secretName#")
        if err != nil {
            // Handle exceptions
            panic(err)
        }
        fmt.Printf("SecretValue:%s\n",secretInfo.SecretValue)
    }