AWS Secrets Manager
The plugin provides functionality to interact with Amazon Secrets Manager.
Installation
-
Copy the below line to
dependencies
section of the projectbuild.gradle
filePlease make sure to use the same version for all VIVIDUS dependencies. Example 1. build.gradleimplementation('org.vividus:vividus-plugin-aws-secrets-manager')
-
If the project was imported to the IDE before adding new dependency, re-generate the configuration files for the used IDE and then refresh the project in the used IDE.
Configuration
Authentication
The plugin attempts to find AWS credentials by using the default credential provider chain. The provider chain looks for credentials using the provided below options one by one starting from the top. If credentials are found at some point, the search stops and further options are not evaluated.
-
The AWS credentials scoped to either current scenario or story (configured via the corresponding step).
-
Environment variables:
AWS_ACCESS_KEY_ID
andAWS_SECRET_ACCESS_KEY
(the optional variable for session token isAWS_SESSION_TOKEN
). -
The properties:
system.aws.accessKeyId
andsystem.aws.secretKey
(the optional property for session token issystem.aws.sessionToken
). -
Web Identity Token credentials from the environment or container.
-
In the default credentials file (the location of this file varies by platform).
-
Credentials delivered through the Amazon EC2 container service if the
AWS_CONTAINER_CREDENTIALS_RELATIVE_URI
environment variable is set and security manager has permission to access the variable. -
In the instance profile credentials, which exist within the instance metadata associated with the IAM role for the EC2 instance. This step is available only when running your application on an Amazon EC2 instance, but provides the greatest ease of use and best security when working with Amazon EC2 instances.
-
If the plugin still hasn’t found credentials by this point, client creation fails with an exception.
See the official "Working with AWS Credentials" guide to get more details.
Region Selection
The plugin attempts to find AWS region by using the default region provider chain. The provider chain looks for a region using the provided below options one by one starting from the top. If region is found at some point, the search stops and further options are not evaluated.
-
Environment variable:
AWS_REGION
. -
The property:
system.aws.region
. -
AWS shared configuration file (usually located at
~/.aws/config
). -
Use the Amazon EC2 instance metadata service to determine the region of the currently running Amazon EC2 instance.
-
If the plugin still hasn’t found a region by this point, client creation fails with an exception.
See the official "AWS Region Selection" guide to get more details.
How to refer AWS secrets
-
Find the required secret in the list.
-
Put the name to properties using the case-sensitive wrapping
AWS_SECRETS_MANAGER(…)
Property value format:
AWS_SECRETS_MANAGER(<profile>, <secret>/<secret_name>)
Where:
-
profile
- [optional] The AWS profile. -
secret
- The ID of the secret to retrieve. -
secret_name
- The secret name within the secret container.db.connection.test.username=AWS_SECRETS_MANAGER(my_secret/dev/username) db.connection.test.password=AWS_SECRETS_MANAGER(my_profile, my_secret/dev/password)
-