Secrets Manager JDBC encapsulates business logic, best practices, and design patterns based on dynamic ApsaraDB RDS secrets provided by Secrets Manager. Secrets Manager JDBC allows you to integrate Secrets Manager with your business systems. Secrets Manager JDBC allows you to use dynamic ApsaraDB RDS secrets in database applications. This eliminates the need to hard code the passwords of database accounts.
Features
- Provides common Java Database Connectivity (JDBC) drivers and simple database connections.
- Connects to databases by using c3p0 or Database Connection Pools (DBCPs).
- Allows you to obtain dynamic ApsaraDB RDS secrets by using different access methods. For example, you can use AccessKey pairs, Security Token Service (STS), or RAM roles of Elastic Compute Service (ECS) instances to obtain dynamic ApsaraDB RDS secrets.
- Allows you to customize rotation intervals for secrets.
Limits
- Only dynamic ApsaraDB RDS secrets are supported. We recommend that you use dynamic ApsaraDB RDS secrets in Manage Dual Account mode. For more information about how to create a dynamic ApsaraDB RDS secret, see Create a dynamic ApsaraDB RDS secret.
- Only Java 1.8 or later is supported.
- Only the ApsaraDB RDS instances that run MySQL, SQL Server, PostgreSQL, or MariaDB TX are supported.
Install Secrets Manager JDBC
Secrets Manager JDBC is developed in Java. For more information about how to install Secrets Manager JDBC, visit aliyun-secretsmanager-jdbc.
You can install Secrets Manager JDBC by adding the following Maven dependency:
<dependency>
<groupId>com.aliyun</groupId>
<artifactId>aliyun-secretsmanager-jdbc</artifactId>
<version>x.x.x</version>
</dependency>
Configure an access method
When Secrets Manager JDBC starts, it checks the secretsmanager.properties file for the access method. The following examples show how to configure different access methods:
- Access Secrets Manager by using the client key of an application access point
This method is recommended. For more information about how to create a client key, see Bind a client key to the application access point.
Note Secrets Manager JDBC 1.0.7 and later versions support the use of the client key of an application access point to access Secrets Manager.## Specify the access method. credentials_type=client_key ## Read the decryption password of the client key. You can read the password from an environment variable or file. client_key_password_from_env_variable=#your client key private key password environment variable name# client_key_password_from_file_path=#your client key private key password file path# ## Read the private key file of the client key. client_key_private_key_path=#your client key private key file path# ## Specify the region of Key Management Service (KMS). cache_client_region_id=[{"regionId":"#regionId#"}]
- Access Secrets Manager by using the AccessKey pair
## Specify the access method. credentials_type=ak ## Specify the AccessKey ID. credentials_access_key_id=#credentials_access_key_id# ## Specify the AccessKey secret. credentials_access_secret=#credentials_access_secret# ## Specify the region of KMS. cache_client_region_id=[{"regionId":"#regionId#"}] ## Customize the rotation interval. Default value: 21600000. Minimum value: 300000. Unit: milliseconds. The default value is equivalent to 6 hours, and the minimum value is equivalent to 5 minutes. refresh_secret_ttl=21600000
Note For more information about how to obtain an AccessKey pair, see Obtain an AccessKey pair. - Access Secrets Manager by using STS
## Specify the access method. credentials_type=sts ## Specify the AccessKey ID. credentials_access_key_id=#credentials_access_key_id# ## Specify the AccessKey secret. credentials_access_secret=#credentials_access_secret# ## Specify the name of the session in which dynamic ApsaraDB RDS secrets are obtained. credentials_role_session_name=#credentials_role_session_name# ## Specify the Alibaba Cloud Resource Name (ARN) of the RAM role. credentials_role_arn=#credentials_role_arn# ## Specify the policy that is used to obtain dynamic ApsaraDB RDS secrets. credentials_policy=#credentials_policy# ## Specify the region of KMS. cache_client_region_id=[{"regionId":"#regionId#"}] ## Customize the rotation interval. Default value: 21600000. Minimum value: 300000. Unit: milliseconds. The default value is equivalent to 6 hours, and the minimum value is equivalent to 5 minutes. refresh_secret_ttl=21600000
Note For more information about how to obtain an AccessKey pair, see Obtain an AccessKey pair. - Access Secrets Manager by using the RAM role of an ECS instance
## Specify the access method. credentials_type=ecs_ram_role ## Specify the name of the RAM role. credentials_role_name=#credentials_role_name# ## Specify the region of KMS. cache_client_region_id=[{"regionId":"#regionId#"}] ## Customize the rotation interval. Default value: 21600000. Minimum value: 300000. Unit: milliseconds. The default value is equivalent to 6 hours, and the minimum value is equivalent to 5 minutes. refresh_secret_ttl=21600000
Note For more information about how to create a RAM role and assign the RAM role to an ECS instance, see Access KMS from an ECS instance in a secure manner.
Sample codes
- Access a database by using JDBC
The following sample code provides an example on how to access an ApsaraDB RDS for MySQL instance by using JDBC:
import java.sql.Connection; import java.sql.DriverManager; import java.sql.SQLException; public class SecretManagerJDBCSample { public static void main(String[] args) throws Exception { Class.forName("com.aliyun.kms.secretsmanager.MysqlSecretsManagerSimpleDriver"); Connection connect = null; try { connect = DriverManager.getConnection("secrets-manager:mysql://<your-mysql-ip>:<your-mysql-port>/<your-database-name>", "#your-mysql-secret-name#",""); } catch(SQLException e) { e.printStackTrace(); } } }
- Access a database by using a c3p0 connection pool
The following sample code provides an example of the c3p0.properties configuration file:
c3p0.user=#your-mysql-secret-name# c3p0.driverClass=com.aliyun.kms.secretsmanager.MysqlSecretsManagerSimpleDriver c3p0.jdbcUrl=secrets-manager:mysql://<your-mysql-ip>:<your-mysql-port>/<your-database-name>
- Access a database by using an open source framework
The following sample code provides an example of the Spring configuration file:
<bean id="dataSource" class="com.mchange.v2.c3p0.ComboPooledDataSource" > <property name="driverClass" value="com.aliyun.kms.secretsmanager.MysqlSecretsManagerSimpleDriver" /> <property name="user" value="#your-mysql-secret-name#" /> <property name="jdbcUrl" value="secrets-manager:mysql://<your-mysql-ip>:<your-mysql-port>/<your-database-name>" /> <property name="maxPoolSize" value="500" /> <property name="minPoolSize" value="5" /> <property name="initialPoolSize" value="20" /> </bean> <bean id="jdbcTemplate" class="org.springframework.jdbc.core.JdbcTemplate" > <property name="dataSource" ref="dataSource" /> </bean>