aws-sdk-java-v2-secrets-manager

📁 giuseppe-trisciuoglio/developer-kit 📅 10 days ago

总安装量

周安装量

#2465

全站排名

安装命令

npx skills add https://github.com/giuseppe-trisciuoglio/developer-kit --skill aws-sdk-java-v2-secrets-manager

Agent 安装分布

claude-code 70

replit 64

cursor 64

opencode 55

antigravity 53

Skill 文档

AWS SDK for Java 2.x – AWS Secrets Manager

Overview

AWS Secrets Manager helps you protect secrets needed to access your applications, services, and IT resources. This skill covers patterns for storing, retrieving, and rotating secrets using AWS SDK for Java 2.x, including Spring Boot integration and caching strategies.

When to Use

Use this skill when:

Storing and retrieving application secrets programmatically
Managing database credentials securely without hardcoding
Implementing automatic secret rotation with Lambda functions
Integrating AWS Secrets Manager with Spring Boot applications
Setting up secret caching for improved performance
Creating secure configuration management systems
Working with multi-region secret deployments
Implementing audit logging for secret access

Instructions

Follow these steps to work with AWS Secrets Manager:

Add Dependencies – Include secretsmanager dependency and caching library
Create Client – Instantiate SecretsManagerClient with proper configuration
Store Secrets – Use createSecret() to store new secrets
Retrieve Secrets – Use getSecretValue() to fetch secrets
Implement Caching – Use SecretCache for improved performance
Configure Rotation – Set up automatic rotation schedules
Integrate with Spring – Configure beans and property sources
Monitor Access – Enable CloudTrail logging for audit trails

Dependencies

Maven

<dependency>
    <groupId>software.amazon.awssdk</groupId>
    <artifactId>secretsmanager</artifactId>
</dependency>

<!-- For secret caching (recommended for production) -->
<dependency>
    <groupId>com.amazonaws.secretsmanager</groupId>
    <artifactId>aws-secretsmanager-caching-java</artifactId>
    <version>2.0.0</version> // Use the sdk v2 compatible version
</dependency>

Gradle

implementation 'software.amazon.awssdk:secretsmanager'
implementation 'com.amazonaws.secretsmanager:aws-secretsmanager-caching-java:2.0.0

Quick Start

Basic Client Setup

import software.amazon.awssdk.regions.Region;
import software.amazon.awssdk.services.secretsmanager.SecretsManagerClient;

SecretsManagerClient secretsClient = SecretsManagerClient.builder()
    .region(Region.US_EAST_1)
    .build();

Store a Secret

import software.amazon.awssdk.services.secretsmanager.model.*;

public String createSecret(String secretName, String secretValue) {
    CreateSecretRequest request = CreateSecretRequest.builder()
        .name(secretName)
        .secretString(secretValue)
        .build();

    CreateSecretResponse response = secretsClient.createSecret(request);
    return response.arn();
}

Retrieve a Secret

public String getSecretValue(String secretName) {
    GetSecretValueRequest request = GetSecretValueRequest.builder()
        .secretId(secretName)
        .build();

    GetSecretValueResponse response = secretsClient.getSecretValue(request);
    return response.secretString();
}

Core Operations

Secret Management

Create secrets with createSecret()
Retrieve secrets with getSecretValue()
Update secrets with updateSecret()
Delete secrets with deleteSecret()
List secrets with listSecrets()
Restore deleted secrets with restoreSecret()

Secret Versioning

Access specific versions by versionId
Access versions by stage (e.g., “AWSCURRENT”, “AWSPENDING”)
Automatically manage version history

Secret Rotation

Configure automatic rotation schedules
Lambda-based rotation functions
Immediate rotation with rotateSecret()

Caching for Performance

Setup Cache

import com.amazonaws.secretsmanager.caching.SecretCache;

public class CachedSecrets {
    private final SecretCache cache;

    public CachedSecrets(SecretsManagerClient secretsClient) {
        this.cache = new SecretCache(secretsClient);
    }

    public String getCachedSecret(String secretName) {
        return cache.getSecretString(secretName);
    }
}

Cache Configuration

import com.amazonaws.secretsmanager.caching.SecretCacheConfiguration;

SecretCacheConfiguration config = SecretCacheConfiguration.builder()
    .maxCacheSize(1000)
    .cacheItemTTL(3600000) // 1 hour
    .build();

Spring Boot Integration

Configuration

@Configuration
public class SecretsManagerConfiguration {

    @Bean
    public SecretsManagerClient secretsManagerClient() {
        return SecretsManagerClient.builder()
            .region(Region.of(region))
            .build();
    }

    @Bean
    public SecretCache secretCache(SecretsManagerClient secretsClient) {
        return new SecretCache(secretsClient);
    }
}

Service Layer

@Service
public class SecretsService {

    private final SecretCache cache;

    public SecretsService(SecretCache cache) {
        this.cache = cache;
    }

    public <T> T getSecretAsObject(String secretName, Class<T> type) {
        String secretJson = cache.getSecretString(secretName);
        return objectMapper.readValue(secretJson, type);
    }
}

Database Configuration

@Configuration
public class DatabaseConfiguration {

    @Bean
    public DataSource dataSource(SecretsService secretsService) {
        Map<String, String> credentials = secretsService.getSecretAsMap(
            "prod/database/credentials");

        HikariConfig config = new HikariConfig();
        config.setJdbcUrl(credentials.get("url"));
        config.setUsername(credentials.get("username"));
        config.setPassword(credentials.get("password"));

        return new HikariDataSource(config);
    }
}

Examples

Database Credentials Structure

{
  "engine": "postgres",
  "host": "mydb.us-east-1.rds.amazonaws.com",
  "port": 5432,
  "username": "admin",
  "password": "MySecurePassword123!",
  "dbname": "mydatabase",
  "url": "jdbc:postgresql://mydb.us-east-1.rds.amazonaws.com:5432/mydatabase"
}

API Keys Structure

{
  "api_key": "abcd1234-5678-90ef-ghij-klmnopqrstuv",
  "api_secret": "MySecretKey123!",
  "api_token": "Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."
}

Common Patterns

Error Handling

try {
    String secret = secretsClient.getSecretValue(request).secretString();
} catch (SecretsManagerException e) {
    if (e.awsErrorDetails().errorCode().equals("ResourceNotFoundException")) {
        // Handle missing secret
    }
    throw e;
}

Batch Operations

List<String> secretNames = List.of("secret1", "secret2", "secret3");
Map<String, String> secrets = secretNames.stream()
    .collect(Collectors.toMap(
        Function.identity(),
        name -> cache.getSecretString(name)
    ));

Best Practices

Secret Management:
- Use descriptive secret names with hierarchical structure
- Implement versioning and rotation
- Add tags for organization and billing
Caching:
- Always use caching in production environments
- Configure appropriate TTL values based on secret sensitivity
- Monitor cache hit rates
Security:
- Never log secret values
- Use KMS encryption for sensitive secrets
- Implement least privilege IAM policies
- Enable CloudTrail logging
Performance:
- Reuse SecretsManagerClient instances
- Use async operations when appropriate
- Monitor API throttling limits
Spring Boot Integration:
- Use @Value annotations for secret names
- Implement proper exception handling
- Use configuration properties for secret names

Testing Strategies

Unit Testing

@ExtendWith(MockitoExtension.class)
class SecretsServiceTest {

    @Mock
    private SecretCache cache;

    @InjectMocks
    private SecretsService secretsService;

    @Test
    void shouldGetSecret() {
        when(cache.getSecretString("test-secret")).thenReturn("secret-value");

        String result = secretsService.getSecret("test-secret");

        assertEquals("secret-value", result);
    }
}

Integration Testing

@SpringBootTest(classes = TestSecretsConfiguration.class)
class SecretsManagerIntegrationTest {

    @Autowired
    private SecretsService secretsService;

    @Test
    void shouldRetrieveSecret() {
        String secret = secretsService.getSecret("test-secret");
        assertNotNull(secret);
    }
}

Troubleshooting

Common Issues

Access Denied: Check IAM permissions
Resource Not Found: Verify secret name and region
Decryption Failure: Ensure KMS key permissions
Throttling: Implement retry logic and backoff

Debug Commands

# Check secret exists
aws secretsmanager describe-secret --secret-id my-secret

# List all secrets
aws secretsmanager list-secrets

# Get secret value (CLI)
aws secretsmanager get-secret-value --secret-id my-secret

References

For detailed information and advanced patterns, see:

API Reference – Complete API documentation
Caching Guide – Performance optimization strategies
Spring Boot Integration – Complete Spring integration patterns

Related Skills

aws-sdk-java-v2-core – Core AWS SDK patterns and best practices
aws-sdk-java-v2-kms – KMS encryption and key management
spring-boot-dependency-injection – Spring dependency injection patterns

Constraints and Warnings

Secret Size: Maximum secret size is 10KB
API Costs: Each API call incurs a cost; use caching to reduce calls
Rotation Limits: Some secret types cannot be rotated automatically
Replication Limits: Multi-region secrets have replication limits
Version Limits: Secrets retain up to 100 versions including pending versions
Deletion Delay: Secret deletion requires 7-30 day recovery window
KMS Encryption: Secrets are encrypted using AWS KMS; key management is important
Cache Consistency: Cached secrets may be stale during rotation
IAM Permissions: Secrets require specific IAM actions for access
Logging: Avoid logging secret values; use CloudTrail for audit trails

GitHub 仓库 ↗ ← 返回陌讯 Skills 聚合平台