AWS Secrets Manager

The plugin provides functionality to interact with Amazon Secrets Manager.

Installation

  1. Copy the below line to dependencies section of the project build.gradle file

    Please make sure to use the same version for all VIVIDUS dependencies.
    Example 1. build.gradle
    implementation('org.vividus:vividus-plugin-aws-secrets-manager')

  2. If the project was imported to the IDE before adding new dependency, re-generate the configuration files for the used IDE and then refresh the project in the used IDE.

Configuration

Authentication

The plugin attempts to find AWS credentials by using the default credential provider chain. The provider chain looks for credentials using the provided below options one by one starting from the top. If credentials are found at some point, the search stops and further options are not evaluated.

  1. The AWS credentials scoped to either current scenario or story (configured via the corresponding step).

  2. Environment variables: AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY (the optional variable for session token is AWS_SESSION_TOKEN).

  3. The properties: system.aws.accessKeyId and system.aws.secretKey (the optional property for session token is system.aws.sessionToken).

  4. Web Identity Token credentials from the environment or container.

  5. In the default credentials file (the location of this file varies by platform).

  6. Credentials delivered through the Amazon EC2 container service if the AWS_CONTAINER_CREDENTIALS_RELATIVE_URI environment variable is set and security manager has permission to access the variable.

  7. In the instance profile credentials, which exist within the instance metadata associated with the IAM role for the EC2 instance. This step is available only when running your application on an Amazon EC2 instance, but provides the greatest ease of use and best security when working with Amazon EC2 instances.

  8. If the plugin still hasn’t found credentials by this point, client creation fails with an exception.

See the official "Working with AWS Credentials" guide to get more details.

Region Selection

The plugin attempts to find AWS region by using the default region provider chain. The provider chain looks for a region using the provided below options one by one starting from the top. If region is found at some point, the search stops and further options are not evaluated.

  1. Environment variable: AWS_REGION.

  2. The property: system.aws.region.

  3. AWS shared configuration file (usually located at ~/.aws/config).

  4. Use the Amazon EC2 instance metadata service to determine the region of the currently running Amazon EC2 instance.

  5. If the plugin still hasn’t found a region by this point, client creation fails with an exception.

See the official "AWS Region Selection" guide to get more details.

How to refer AWS secrets

  1. Find the required secret in the list.

    AWS Secrets

  2. Put the name to properties using the case-sensitive wrapping AWS_SECRETS_MANAGER(…​)

    Property value format:

    AWS_SECRETS_MANAGER(<profile>, <secret>/<secret_name>)

    Where:

    • profile - [optional] The AWS profile.

    • secret - The ID of the secret to retrieve.

    • secret_name - The secret name within the secret container.

      db.connection.test.username=AWS_SECRETS_MANAGER(my_secret/dev/username)
db.connection.test.password=AWS_SECRETS_MANAGER(my_profile, my_secret/dev/password)