Quickstart
https://docs.aws.amazon.com/secretsmanager/latest/userguide/intro.html
package cloud.difference.nbi; import java.util.Base64; import com.amazonaws.services.secretsmanager.AWSSecretsManager; import com.amazonaws.services.secretsmanager.AWSSecretsManagerClientBuilder; import com.amazonaws.services.secretsmanager.model.DecryptionFailureException; import com.amazonaws.services.secretsmanager.model.GetSecretValueRequest; import com.amazonaws.services.secretsmanager.model.GetSecretValueResult; import com.amazonaws.services.secretsmanager.model.InternalServiceErrorException; import com.amazonaws.services.secretsmanager.model.InvalidParameterException; import com.amazonaws.services.secretsmanager.model.InvalidRequestException; import com.amazonaws.services.secretsmanager.model.ResourceNotFoundException; public class AWSConfigurationService { // Use this code snippet in your app. // If you need more information about configurations or implementing the sample code, visit the AWS docs: // https://docs.aws.amazon.com/sdk-for-java/v1/developer-guide/java-dg-samples.html#prerequisites public static String getSecret(String region, String secretName) { // Create a Secrets Manager client AWSSecretsManager client = AWSSecretsManagerClientBuilder.standard().withRegion(region).build(); // In this sample we only handle the specific exceptions for the 'GetSecretValue' API. // See https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_GetSecretValue.html // We rethrow the exception by default. String secret, decodedBinarySecret; GetSecretValueRequest getSecretValueRequest = new GetSecretValueRequest().withSecretId(secretName); GetSecretValueResult getSecretValueResult = null; try { getSecretValueResult = client.getSecretValue(getSecretValueRequest); } catch (DecryptionFailureException e) { // Secrets Manager can't decrypt the protected secret text using the provided KMS key. // Deal with the exception here, and/or rethrow at your discretion. throw e; } catch (InternalServiceErrorException e) { // An error occurred on the server side. // Deal with the exception here, and/or rethrow at your discretion. throw e; } catch (InvalidParameterException e) { // You provided an invalid value for a parameter. // Deal with the exception here, and/or rethrow at your discretion. throw e; } catch (InvalidRequestException e) { // You provided a parameter value that is not valid for the current state of the resource. // Deal with the exception here, and/or rethrow at your discretion. throw e; } catch (ResourceNotFoundException e) { // We can't find the resource that you asked for. // Deal with the exception here, and/or rethrow at your discretion. throw e; } // Decrypts secret using the associated KMS CMK. // Depending on whether the secret is a string or binary, one of these fields will be populated. if (getSecretValueResult.getSecretString() != null) { secret = getSecretValueResult.getSecretString(); return secret; } else { decodedBinarySecret = new String(Base64.getDecoder().decode(getSecretValueResult.getSecretBinary()).array()); return decodedBinarySecret; } } public static void main(String[] args) { String secretName = "prod/biometric/rds"; String secret = getSecret("us-east-1", secretName); System.out.println("Key: " + secretName + " value: " + secret); } } 15:05:51.395 [main] DEBUG com.amazonaws.requestId - x-amzn-RequestId: d1d28152-5043-4dbc-8dd7-b6cc8d5dee92 Key: prod/b***/rds value: {"username":"o***","password":"****","engine":"mysql","host":"*****.us-east-1.rds.amazonaws.com","port":3306,"dbname":"***","dbInstanceIdentifier":"o***"}
Cost
$0.40/secret/month with $0.05 per 10k API calls (so cache)
Add an RDS username/password pair to AWS Secrets Manager
I currently store the credentials in 2 environment variables directly in the beanstalk template.
see - AWS-8Getting issue details... STATUS
AWS CLI access
The following code snippets are provided by AWS
Java
// Use this code snippet in your app. // If you need more information about configurations or implementing the sample code, visit the AWS docs: // https://docs.aws.amazon.com/sdk-for-java/v1/developer-guide/java-dg-samples.html#prerequisites public static void getSecret() { String secretName = "prod4_biometric_rds"; String region = "us-east-1"; // Create a Secrets Manager client AWSSecretsManager client = AWSSecretsManagerClientBuilder.standard() .withRegion(region) .build(); // In this sample we only handle the specific exceptions for the 'GetSecretValue' API. // See https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_GetSecretValue.html // We rethrow the exception by default. String secret, decodedBinarySecret; GetSecretValueRequest getSecretValueRequest = new GetSecretValueRequest() .withSecretId(secretName); GetSecretValueResult getSecretValueResult = null; try { getSecretValueResult = client.getSecretValue(getSecretValueRequest); } catch (DecryptionFailureException e) { // Secrets Manager can't decrypt the protected secret text using the provided KMS key. // Deal with the exception here, and/or rethrow at your discretion. throw e; } catch (InternalServiceErrorException e) { // An error occurred on the server side. // Deal with the exception here, and/or rethrow at your discretion. throw e; } catch (InvalidParameterException e) { // You provided an invalid value for a parameter. // Deal with the exception here, and/or rethrow at your discretion. throw e; } catch (InvalidRequestException e) { // You provided a parameter value that is not valid for the current state of the resource. // Deal with the exception here, and/or rethrow at your discretion. throw e; } catch (ResourceNotFoundException e) { // We can't find the resource that you asked for. // Deal with the exception here, and/or rethrow at your discretion. throw e; } // Decrypts secret using the associated KMS CMK. // Depending on whether the secret is a string or binary, one of these fields will be populated. if (getSecretValueResult.getSecretString() != null) { secret = getSecretValueResult.getSecretString(); } else { decodedBinarySecret = new String(Base64.getDecoder().decode(getSecretValueResult.getSecretBinary()).array()); } // Your code goes here. }
Javascript
// Use this code snippet in your app. // If you need more information about configurations or implementing the sample code, visit the AWS docs: // https://aws.amazon.com/developers/getting-started/nodejs/ // Load the AWS SDK var AWS = require('aws-sdk'), region = "us-east-1", secretName = "prod4_biometric_rds", secret, decodedBinarySecret; // Create a Secrets Manager client var client = new AWS.SecretsManager({ region: region }); // In this sample we only handle the specific exceptions for the 'GetSecretValue' API. // See https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_GetSecretValue.html // We rethrow the exception by default. client.getSecretValue({SecretId: secretName}, function(err, data) { if (err) { if (err.code === 'DecryptionFailureException') // Secrets Manager can't decrypt the protected secret text using the provided KMS key. // Deal with the exception here, and/or rethrow at your discretion. throw err; else if (err.code === 'InternalServiceErrorException') // An error occurred on the server side. // Deal with the exception here, and/or rethrow at your discretion. throw err; else if (err.code === 'InvalidParameterException') // You provided an invalid value for a parameter. // Deal with the exception here, and/or rethrow at your discretion. throw err; else if (err.code === 'InvalidRequestException') // You provided a parameter value that is not valid for the current state of the resource. // Deal with the exception here, and/or rethrow at your discretion. throw err; else if (err.code === 'ResourceNotFoundException') // We can't find the resource that you asked for. // Deal with the exception here, and/or rethrow at your discretion. throw err; } else { // Decrypts secret using the associated KMS CMK. // Depending on whether the secret is a string or binary, one of these fields will be populated. if ('SecretString' in data) { secret = data.SecretString; } else { let buff = new Buffer(data.SecretBinary, 'base64'); decodedBinarySecret = buff.toString('ascii'); } } // Your code goes here. });
Python 3
# Use this code snippet in your app. # If you need more information about configurations or implementing the sample code, visit the AWS docs: # https://aws.amazon.com/developers/getting-started/python/ import boto3 import base64 from botocore.exceptions import ClientError def get_secret(): secret_name = "prod4_biometric_rds" region_name = "us-east-1" # Create a Secrets Manager client session = boto3.session.Session() client = session.client( service_name='secretsmanager', region_name=region_name ) # In this sample we only handle the specific exceptions for the 'GetSecretValue' API. # See https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_GetSecretValue.html # We rethrow the exception by default. try: get_secret_value_response = client.get_secret_value( SecretId=secret_name ) except ClientError as e: if e.response['Error']['Code'] == 'DecryptionFailureException': # Secrets Manager can't decrypt the protected secret text using the provided KMS key. # Deal with the exception here, and/or rethrow at your discretion. raise e elif e.response['Error']['Code'] == 'InternalServiceErrorException': # An error occurred on the server side. # Deal with the exception here, and/or rethrow at your discretion. raise e elif e.response['Error']['Code'] == 'InvalidParameterException': # You provided an invalid value for a parameter. # Deal with the exception here, and/or rethrow at your discretion. raise e elif e.response['Error']['Code'] == 'InvalidRequestException': # You provided a parameter value that is not valid for the current state of the resource. # Deal with the exception here, and/or rethrow at your discretion. raise e elif e.response['Error']['Code'] == 'ResourceNotFoundException': # We can't find the resource that you asked for. # Deal with the exception here, and/or rethrow at your discretion. raise e else: # Decrypts secret using the associated KMS CMK. # Depending on whether the secret is a string or binary, one of these fields will be populated. if 'SecretString' in get_secret_value_response: secret = get_secret_value_response['SecretString'] else: decoded_binary_secret = base64.b64decode(get_secret_value_response['SecretBinary']) # Your code goes here
Go
// Use this code snippet in your app. // If you need more information about configurations or implementing the sample code, visit the AWS docs: // https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/setting-up.html import ( "github.com/aws/aws-sdk-go/service/secretsmanager" "github.com/aws/aws-sdk-go/aws" "github.com/aws/aws-sdk-go/aws/awserr" "github.com/aws/aws-sdk-go/aws/session" "encoding/base64" "fmt" ) func getSecret() { secretName := "prod4_biometric_rds" region := "us-east-1" //Create a Secrets Manager client svc := secretsmanager.New(session.New()) input := &secretsmanager.GetSecretValueInput{ SecretId: aws.String(secretName), VersionStage: aws.String("AWSCURRENT"), // VersionStage defaults to AWSCURRENT if unspecified } // In this sample we only handle the specific exceptions for the 'GetSecretValue' API. // See https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_GetSecretValue.html result, err := svc.GetSecretValue(input) if err != nil { if aerr, ok := err.(awserr.Error); ok { switch aerr.Code() { case secretsmanager.ErrCodeDecryptionFailure: // Secrets Manager can't decrypt the protected secret text using the provided KMS key. fmt.Println(secretsmanager.ErrCodeDecryptionFailure, aerr.Error()) case secretsmanager.ErrCodeInternalServiceError: // An error occurred on the server side. fmt.Println(secretsmanager.ErrCodeInternalServiceError, aerr.Error()) case secretsmanager.ErrCodeInvalidParameterException: // You provided an invalid value for a parameter. fmt.Println(secretsmanager.ErrCodeInvalidParameterException, aerr.Error()) case secretsmanager.ErrCodeInvalidRequestException: // You provided a parameter value that is not valid for the current state of the resource. fmt.Println(secretsmanager.ErrCodeInvalidRequestException, aerr.Error()) case secretsmanager.ErrCodeResourceNotFoundException: // We can't find the resource that you asked for. fmt.Println(secretsmanager.ErrCodeResourceNotFoundException, aerr.Error()) } } else { // Print the error, cast err to awserr.Error to get the Code and // Message from an error. fmt.Println(err.Error()) } return } // Decrypts secret using the associated KMS CMK. // Depending on whether the secret is a string or binary, one of these fields will be populated. var secretString, decodedBinarySecret string if result.SecretString != nil { secretString = *result.SecretString } else { decodedBinarySecretBytes := make([]byte, base64.StdEncoding.DecodedLen(len(result.SecretBinary))) len, err := base64.StdEncoding.Decode(decodedBinarySecretBytes, result.SecretBinary) if err != nil { fmt.Println("Base64 Decode Error:", err) return } decodedBinarySecret = string(decodedBinarySecretBytes[:len]) } // Your code goes here. } Download AWS SDK for Go
AWSConfigurationService
Adding maven dependencies to your project pom
see V2 of https://docs.aws.amazon.com/code-samples/latest/catalog/code-catalog-javav2.html via AWS Developer Guide#AWSSDK
// the following classes will resolve import com.amazonaws.services.secretsmanager.AWSSecretsManager; import com.amazonaws.services.secretsmanager.AWSSecretsManagerClientBuilder; import com.amazonaws.services.secretsmanager.model.DecryptionFailureException; import com.amazonaws.services.secretsmanager.model.GetSecretValueRequest; import com.amazonaws.services.secretsmanager.model.GetSecretValueResult; import com.amazonaws.services.secretsmanager.model.InternalServiceErrorException; import com.amazonaws.services.secretsmanager.model.InvalidParameterException; import com.amazonaws.services.secretsmanager.model.InvalidRequestException; import com.amazonaws.services.secretsmanager.model.ResourceNotFoundException; // with the following dependency <aws-secrets-manager-version>1.11.339</aws-secrets-manager-version> <dependency> <groupId>com.amazonaws</groupId> <artifactId>aws-java-sdk-secretsmanager</artifactId> <version>${aws-secrets-manager-version}</version> </dependency>