Package org.forgerock.secrets.gcpkms

Class GoogleKmsSecretStore.Builder

    • Constructor Detail

      • Builder

        public Builder()

    • Method Detail

      • credentialsProvider

        public GoogleKmsSecretStore.Builder credentialsProvider​(com.google.api.gax.core.CredentialsProvider credentialsProvider)
        Set the provider for credentials for the connection to GCP. See javadoc on credentials(Credentials) for details on the available options.
        Parameters:
        credentialsProvider - the credentials provider.
        Returns:
        this builder.

      • credentials

        public GoogleKmsSecretStore.Builder credentials​(com.google.auth.Credentials credentials)
        Sets the fixed credentials to use for the connection to GCP. In most cases, using GoogleCredentials.getApplicationDefault() (or GoogleCredentials.getApplicationDefault(HttpTransportFactory) making use of ChfHttpTransport) is the right option as this will automatically pick up GCP credentials in many cases. If you need to manually specify credentials you can obtain these from the GCP Console and then either use ServiceAccountCredentials or else the Secrets API can also be used to obtain credentials by using the SecretsApiBearerTokenCredentials (the latter allows the credentials to be rotated without recreating the secret store).
        Parameters:
        credentials - the credentials.
        Returns:
        this builder.

      • clock

        public GoogleKmsSecretStore.Builder clock​(Clock clock)
        Sets the clock to use for determining how long keys should be cached for.
        Parameters:
        clock - the clock.
        Returns:
        this builder.

      • keyRing

        public GoogleKmsSecretStore.Builder keyRing​(com.google.cloud.kms.v1.KeyRingName keyRing)
        Sets the keyring to use as the basis for this secret store.
        Parameters:
        keyRing - the KMS keyring.
        Returns:
        this builder.

      • keyRing

        public GoogleKmsSecretStore.Builder keyRing​(String keyRing)
        Sets the name of a keyring to use as a basis for this secret store. The name must be fully-qualified and valid according to the syntax given by KeyRingName.
        Parameters:
        keyRing - the key ring name.
        Returns:
        this builder.
        Throws:
        com.google.api.pathtemplate.ValidationException - if the name is invalid.

      • keyRing

        public GoogleKmsSecretStore.Builder keyRing​(String project,
                                            String location,
                                            String keyRing)
        Sets the key ring based on the given project, location, and key ring names.
        Parameters:
        project - the project.
        location - the location.
        keyRing - the key ring name.
        Returns:
        this builder.

      • cryptoKeyMapping

        public GoogleKmsSecretStore.Builder cryptoKeyMapping​(Function<Purpose<? extends CryptoKey>,​String> cryptoKeyMapping)
        Sets the mapping from purposes to crypto key names in KMS. When looking for active or valid keys, this mapping is used to determine the key for that purpose.
        Parameters:
        cryptoKeyMapping - the mapping from purpose to KMS key.
        Returns:
        this builder.

      • cryptoKeyMapping

        public GoogleKmsSecretStore.Builder cryptoKeyMapping​(Map<Purpose<? extends CryptoKey>,​String> mapping)
        Sets the mapping from purposes to crypto key names in KMS. When looking for active or valid keys, this mapping is used to determine the key for that purpose.
        Parameters:
        mapping - the mapping from purpose to KMS key.
        Returns:
        this builder.

      • publicKeyCacheMaxSize

        public GoogleKmsSecretStore.Builder publicKeyCacheMaxSize​(long publicKeyCacheMaxSize)
        The maximum size of the cache for public keys retrieved from the KMS. Defaults to 1000.
        Parameters:
        publicKeyCacheMaxSize - the maximum size of the public key cache.
        Returns:
        this builder.

      • publicKeyCacheDuration

        public GoogleKmsSecretStore.Builder publicKeyCacheDuration​(Duration publicKeyCacheDuration)
        The amount of time to cache public keys retrieved from the KMS. A longer duration reduces the number of API calls to the KMS to retrieve public keys (these calls are billable), but increases the time during which a disabled key will still be accepted as valid. Defaults to 1 hour. Note that public keys are cached per secret store instance and the secret stores are per server, so if you have 10 servers then there will still be 10 calls per hour to fetch the public key (one from each server).
        Parameters:
        publicKeyCacheDuration - the duration to cache public keys for.
        Returns:
        this builder.

      • cryptoKeyCacheMaxSize

        public GoogleKmsSecretStore.Builder cryptoKeyCacheMaxSize​(long cryptoKeyCacheMaxSize)
        The maximum size of the cache for crypto keys retrieved from the KMS. Defaults to 1000.
        Parameters:
        cryptoKeyCacheMaxSize - the maximum size of the crypto key cache.
        Returns:
        this builder.

      • cryptoKeyCacheDuration

        public GoogleKmsSecretStore.Builder cryptoKeyCacheDuration​(Duration cryptoKeyCacheDuration)
        The amount of time to cache crypto keys retrieved from the KMS. Defaults to 1 hour. Note that crypto keys are cached per secret store instance and the secret stores are per server, so if you have 10 servers then there will still be 10 calls per hour to fetch the crypto key (one from each server).
        Parameters:
        cryptoKeyCacheDuration - the duration to cache crypto keys for.
        Returns:
        this builder.

      • cryptoKeyVersionCacheMaxSize

        public GoogleKmsSecretStore.Builder cryptoKeyVersionCacheMaxSize​(long cryptoKeyVersionCacheMaxSize)
        The maximum size of the cache for crypto key versions retrieved from the KMS. Defaults to 1000.
        Parameters:
        cryptoKeyVersionCacheMaxSize - the maximum size of the crypto key version cache.
        Returns:
        this builder.

      • cryptoKeyVersionCacheDuration

        public GoogleKmsSecretStore.Builder cryptoKeyVersionCacheDuration​(Duration cryptoKeyVersionCacheDuration)
        The amount of time to cache crypto key versions retrieved from the KMS. Defaults to 1 hour. Note that crypto key versions are cached per secret store instance and the secret stores are per server, so if you have 10 servers then there will still be 10 calls per hour to fetch the crypto key version (one from each server).
        Parameters:
        cryptoKeyVersionCacheDuration - the duration to cache crypto key versions for.
        Returns:
        this builder.