Secrets Manager Client encapsulates business logic, best practices, and design patterns by calling Secrets Manager-related operations. This allows you to easily integrate the capabilities of Secrets Manager into business systems. Secrets Manager Client allows you to dynamically use the secrets that are managed in Secrets Manager. This way, you no longer need to hard code sensitive data.
Features
Secrets Manager Client provides the following features:
Allows you to integrate the capabilities of Secrets Manager into applications. You can use a single line of code to read secret information.
Allows you to cache and refresh secrets in applications.
Encapsulates the API error-based retry mechanism to intelligently handle reported errors.
Provides a plug-in design mode to allow you to customize features such as extended cache and error retry.
Secrets Manager Client for Java
Install a client
Key Management Service (KMS) provides Secrets Manager Client for Java. For more information about the source code of the client, visit alibabacloud-secretsmanager-client-java.
You can install Secrets Manager Client for Java by adding the following Maven dependency:
<dependency>
<groupId>com.aliyun</groupId>
<artifactId>alibabacloud-secretsmanager-client</artifactId>
<version>x.x.x</version>
</dependency>
For more information about the versions of Secrets Manager Client for Java, visit alibabacloud-secretsmanager-client release.
Sample code
The AccessKey pair of an Alibaba Cloud account has permissions on all API operations. Using the AccessKey pair to perform operations is a high-risk operation. We recommend that you use a RAM user to call API operations or perform routine O&M. We recommend that you do not save the AccessKey ID and AccessKey secret in your project code. Otherwise, the AccessKey pair may be leaked and the security of all resources within your account may be compromised.
In this example, the AccessKey pair is saved in ALIBABA_CLOUD_ACCESS_KEY_ID and ALIBABA_CLOUD_ACCESS_KEY_SECRET environment variables to implement identity authentication. For more information about how to configure authentication information, see Credentials.
Construct a client by using the secretsmanager.properties configuration file
We recommend that you create a client key-based application access point (AAP) and use the client key to call Secrets Manager SDK for Java. For more information about how to create a client key, see Bind a client key to the AAP.
Secrets Manager Client for Java 1.1.8 or a later version allows you to access Secrets Manager by using client key-based AAPs. In this case, you must prepare the following configuration file:
## Specify the access method. credentials_type=client_key ## Read the decryption password of the client key. You can read the password from an environment variable or a file. client_key_password_from_env_variable=#your client key private key password environment variable name# client_key_password_from_file_path=#your client key private key password file path# ## Obtain the private key file of the client key. client_key_private_key_path=#your client key private key file path# ## Specify the region of KMS. cache_client_region_id=[{"regionId":"#regionId#"}]
Sample code:
import com.aliyuncs.kms.secretsmanager.client.SecretCacheClient; import com.aliyuncs.kms.secretsmanager.client.SecretCacheClientBuilder; import com.aliyuncs.kms.secretsmanager.client.exception.CacheSecretException; import com.aliyuncs.kms.secretsmanager.client.model.SecretInfo; public class CacheClientEnvironmentSample { public static void main(String[] args) { try { SecretCacheClient client = SecretCacheClientBuilder.newClient(); SecretInfo secretInfo = client.getSecretInfo("#secretName#"); System.out.println(secretInfo); } catch (CacheSecretException e) { e.printStackTrace(); } } }
Construct a client by using parameters such as the AccessKey ID, AccessKey secret, and region ID
import com.aliyuncs.kms.secretsmanager.client.SecretCacheClient; import com.aliyuncs.kms.secretsmanager.client.SecretCacheClientBuilder; import com.aliyuncs.kms.secretsmanager.client.exception.CacheSecretException; import com.aliyuncs.kms.secretsmanager.client.model.SecretInfo; import com.aliyuncs.kms.secretsmanager.client.service.BaseSecretManagerClientBuilder; import com.aliyuncs.kms.secretsmanager.client.utils.CredentialsProviderUtils; public class CacheClientSimpleParametersSample { public static void main(String[] args) { try { SecretCacheClient client = SecretCacheClientBuilder.newCacheClientBuilder( BaseSecretManagerClientBuilder.standard().withCredentialsProvider(CredentialsProviderUtils .withAccessKey(System.getenv("ALIBABA_CLOUD_ACCESS_KEY_ID"), System.getenv("ALIBABA_CLOUD_ACCESS_KEY_SECRET"))).withRegion("#regionId#").build()).build(); SecretInfo secretInfo = client.getSecretInfo("#secretName#"); System.out.println(secretInfo); } catch (CacheSecretException e) { e.printStackTrace(); } } }
Construct a client by using custom parameters
import com.aliyuncs.kms.secretsmanager.client.SecretCacheClient; import com.aliyuncs.kms.secretsmanager.client.SecretCacheClientBuilder; import com.aliyuncs.kms.secretsmanager.client.cache.FileCacheSecretStoreStrategy; import com.aliyuncs.kms.secretsmanager.client.exception.CacheSecretException; import com.aliyuncs.kms.secretsmanager.client.model.SecretInfo; import com.aliyuncs.kms.secretsmanager.client.service.BaseSecretManagerClientBuilder; import com.aliyuncs.kms.secretsmanager.client.service.DefaultRefreshSecretStrategy; import com.aliyuncs.kms.secretsmanager.client.service.FullJitterBackoffStrategy; import com.aliyuncs.kms.secretsmanager.client.utils.CredentialsProviderUtils; public class CacheClientDetailParametersSample { public static void main(String[] args) { try { SecretCacheClient client = SecretCacheClientBuilder.newCacheClientBuilder(BaseSecretManagerClientBuilder.standard() .withCredentialsProvider(CredentialsProviderUtils.withAccessKey(System.getenv("ALIBABA_CLOUD_ACCESS_KEY_ID"), System.getenv("ALIBABA_CLOUD_ACCESS_KEY_SECRET"))) .withRegion("#regionId#") .withBackoffStrategy(new FullJitterBackoffStrategy(3, 2000, 10000)).build()) .withCacheSecretStrategy(new FileCacheSecretStoreStrategy("#cacheSecretPath#", true, "#salt#")) .withRefreshSecretStrategy(new DefaultRefreshSecretStrategy("#ttlName#")) .withCacheStage("#stage#") .withSecretTTL("#secretName#", 1 * 60 * 1000l) .withSecretTTL("#secretName1#", 2 * 60 * 1000l).build(); SecretInfo secretInfo = client.getSecretInfo("#secretName#"); System.out.println(secretInfo); } catch (CacheSecretException e) { e.printStackTrace(); } } }
Secrets Manager Client for Python
Install a client
KMS provides Secrets Manager Client for Python. For more information about the source code of the client, visit aliyun-secretsmanager-client-python.
You can run the following pip command to install Secrets Manager Client for Python in your project:
pip install aliyun-secret-manager-client
For more information about the versions of Secrets Manager Client for Python, visit aliyun-secretsmanager-client-python.
Sample code
The AccessKey pair of an Alibaba Cloud account has permissions on all API operations. Using the AccessKey pair to perform operations is a high-risk operation. We recommend that you use a RAM user to call API operations or perform routine O&M. We recommend that you do not save the AccessKey ID and AccessKey secret in your project code. Otherwise, the AccessKey pair may be leaked and the security of all resources within your account may be compromised.
In this example, the AccessKey pair is saved in ALIBABA_CLOUD_ACCESS_KEY_ID and ALIBABA_CLOUD_ACCESS_KEY_SECRET environment variables to implement identity authentication. For more information about how to configure authentication information, see Instantiate a client and configure a credential.
Construct a client by using environment variables
from alibaba_cloud_secretsmanager_client.secret_manager_cache_client_builder import SecretManagerCacheClientBuilder if __name__ == '__main__': secret_cache_client = SecretManagerCacheClientBuilder.new_client() secret_info = secret_cache_client.get_secret_info("#secretName#") print(secret_info.__dict__)
Construct a client by using parameters such as the AccessKey ID, AccessKey secret, and region ID
from alibaba_cloud_secretsmanager_client.secret_manager_cache_client_builder import SecretManagerCacheClientBuilder from alibaba_cloud_secretsmanager_client.service.default_secret_manager_client_builder import DefaultSecretManagerClientBuilder if __name__ == '__main__': secret_cache_client = SecretManagerCacheClientBuilder.new_cache_client_builder(DefaultSecretManagerClientBuilder.standard() \ .with_access_key(os.getenv("ALIBABA_CLOUD_ACCESS_KEY_ID"), os.getenv("ALIBABA_CLOUD_ACCESS_KEY_SECRET")) \ .with_region("#regionId#").build()) \ .build(); secret_info = secret_cache_client.get_secret_info("#secretName#") print(secret_info.__dict__)
Construct a client by using custom parameters
from alibaba_cloud_secretsmanager_client.secret_manager_cache_client_builder import SecretManagerCacheClientBuilder from alibaba_cloud_secretsmanager_client.cache.file_cache_secret_store_strategy import FileCacheSecretStoreStrategy from alibaba_cloud_secretsmanager_client.service.default_secret_manager_client_builder import DefaultSecretManagerClientBuilder from alibaba_cloud_secretsmanager_client.service.default_refresh_secret_strategy import DefaultRefreshSecretStrategy from alibaba_cloud_secretsmanager_client.service.full_jitter_back_off_strategy import FullJitterBackoffStrategy if __name__ == '__main__': secret_cache_client = SecretManagerCacheClientBuilder \ .new_cache_client_builder(DefaultSecretManagerClientBuilder.standard().with_access_key(os.getenv("ALIBABA_CLOUD_ACCESS_KEY_ID"), os.getenv("ALIBABA_CLOUD_ACCESS_KEY_SECRET")) \ .with_back_off_strategy(FullJitterBackoffStrategy(3, 2000, 10000)) \ .with_region("#regionId#").build()) \ .with_cache_secret_strategy(FileCacheSecretStoreStrategy("#cacheSecretPath#", True,"#salt#")) \ .with_refresh_secret_strategy(DefaultRefreshSecretStrategy("#ttlName#")) \ .with_cache_stage("#stage#") \ .with_secret_ttl("#secretName#", 1 * 60 * 1000) \ .build() secret_info = secret_cache_client.get_secret_info("#secretName#") print(secret_info.__dict__)
Secrets Manager Client for Go
Install a client
KMS provides Secrets Manager Client for Go. For more information about the source code of the client, visit aliyun-secretsmanager-client-go.
You can run the following command to install Secrets Manager Client for Go in your project:
go get -u github.com/aliyun/aliyun-secretsmanager-client-go
For more information about the versions of Secrets Manager Client for Go, visit aliyun-secretsmanager-client-go.
Sample code
The AccessKey pair of an Alibaba Cloud account has permissions on all API operations. Using the AccessKey pair to perform operations is a high-risk operation. We recommend that you use a RAM user to call API operations or perform routine O&M. We recommend that you do not save the AccessKey ID and AccessKey secret in your project code. Otherwise, the AccessKey pair may be leaked and the security of all resources within your account may be compromised.
In this example, the AccessKey pair is saved in ALIBABA_CLOUD_ACCESS_KEY_ID and ALIBABA_CLOUD_ACCESS_KEY_SECRET environment variables to implement identity authentication. For more information about how to configure authentication information, see Instantiate a client and configure a credential.
Construct a client by using the secretsmanager.properties configuration file
We recommend that you create a client key-based AAP and use the client key to call Secrets Manager SDK for Java. For more information about how to create a client key, see Bind a client key to the AAP.
Secrets Manager Client for Go 1.0.1 or a later version allows you to access Secrets Manager by using client key-based AAPs. In this case, you must prepare the following configuration file:
## Specify the access method. credentials_type=client_key ## Read the decryption password of the client key. You can read the password from an environment variable or a file. client_key_password_from_env_variable=#your client key private key password environment variable name# client_key_password_from_file_path=#your client key private key password file path# ## Obtain the private key file of the client key. client_key_private_key_path=#your client key private key file path# ## Specify the region of KMS. cache_client_region_id=[{"regionId":"#regionId#"}]
Sample code:
package main import ( "fmt" "github.com/aliyun/aliyun-secretsmanager-client-go/sdk" ) func main() { client, err := sdk.NewClient() if err != nil { // Handle exceptions panic(err) } secretInfo, err := client.GetSecretInfo("#secretName#") if err != nil { // Handle exceptions panic(err) } fmt.Printf("SecretValue:%s\n",secretInfo.SecretValue) }
Construct a client by using parameters such as the AccessKey ID, AccessKey secret, and region ID
package main import ( "fmt" "github.com/aliyun/aliyun-secretsmanager-client-go/sdk/service" "github.com/aliyun/aliyun-secretsmanager-client-go/sdk" ) func main() { client, err := sdk.NewSecretCacheClientBuilder(service.NewDefaultSecretManagerClientBuilder().Standard().WithAccessKey(os.Getenv("ALIBABA_CLOUD_ACCESS_KEY_ID"), os.Getenv("ALIBABA_CLOUD_ACCESS_KEY_SECRET")).WithRegion("#regionId#").Build()).Build() if err != nil { // Handle exceptions panic(err) } secretInfo, err := client.GetSecretInfo("#secretName#") if err != nil { // Handle exceptions panic(err) } fmt.Printf("SecretValue:%s\n",secretInfo.SecretValue) }
Construct a client by using custom parameters
package main import ( "fmt" "github.com/aliyun/aliyun-secretsmanager-client-go/sdk/service" "github.com/aliyun/aliyun-secretsmanager-client-go/sdk" "github.com/aliyun/aliyun-secretsmanager-client-go/sdk/cache" ) func main() { client, err := sdk.NewSecretCacheClientBuilder( service.NewDefaultSecretManagerClientBuilder().Standard().WithAccessKey(os.Getenv("ALIBABA_CLOUD_ACCESS_KEY_ID"), os.Getenv("ALIBABA_CLOUD_ACCESS_KEY_SECRET")).WithRegion("#regionId#").WithBackoffStrategy(&service.FullJitterBackoffStrategy{RetryMaxAttempts: 3, RetryInitialIntervalMills: 2000, Capacity: 10000}).Build()).WithCacheSecretStrategy(cache.NewFileCacheSecretStoreStrategy("#cacheSecretPath#", true, "#salt#")).WithRefreshSecretStrategy(service.NewDefaultRefreshSecretStrategy("#jsonTTLPropertyName#")).WithCacheStage("ACSCurrent").WithSecretTTL("#secretName#", 1*60*1000).Build() if err != nil { // Handle exceptions panic(err) } secretInfo, err := client.GetSecretInfo("#secretName#") if err != nil { // Handle exceptions panic(err) } fmt.Printf("SecretValue:%s\n",secretInfo.SecretValue) }