Package org.forgerock.secrets.gcp.sm

Class GoogleSecretManagerSecretStore.Builder

    • Constructor Detail

      • Builder

        public Builder()

    • Method Detail

      • credentialsProvider

        public GoogleSecretManagerSecretStore.Builder credentialsProvider​(com.google.api.gax.core.CredentialsProvider credentialsProvider)
        Set the provider for credentials for the connection to GCP. See javadoc on credentials(Credentials) for details on the available options.
        Parameters:
        credentialsProvider - the credentials provider.
        Returns:
        this builder.

      • credentials

        public GoogleSecretManagerSecretStore.Builder credentials​(com.google.auth.Credentials credentials)
        Sets the fixed credentials to use for the connection to GCP. In most cases, using GoogleCredentials.getApplicationDefault() (or GoogleCredentials.getApplicationDefault(com.google.auth.http.HttpTransportFactory) making use of ChfHttpTransport from the secrets-backend-gcpkms maven module) is the right option as this will automatically pick up GCP credentials in many cases. If you need to manually specify credentials you can obtain these from the GCP Console and then either use ServiceAccountCredentials or else the Secrets API can also be used to obtain credentials by using the SecretsApiBearerTokenCredentials (the latter, from secrets-backend-gcpkms, allows the credentials to be rotated without recreating the secret store).
        Parameters:
        credentials - the credentials.
        Returns:
        this builder.

      • project

        public GoogleSecretManagerSecretStore.Builder project​(String projectName)
        Specifies the GCP project name that contains the secrets.
        Parameters:
        projectName - the name of the GCP project.
        Returns:
        this builder object.

      • expiryDuration

        public GoogleSecretManagerSecretStore.Builder expiryDuration​(Duration duration)
        Specifies how long secrets retrieved from Secrets Manager can be cached by clients for. Defaults to 30 minutes.
        Parameters:
        duration - the maximum amount of time that clients can cache secrets for.
        Returns:
        this builder object.

      • purposeMapping

        public GoogleSecretManagerSecretStore.Builder purposeMapping​(Function<Purpose<?>,​String> purposeMapping)
        Specifies the GCP secret name to use for the given purpose. The default mapping uses the label of the purpose as the secret name, with all periods replaced with hyphens.

        Note: the secret names returned by the mapping must conform to the allowed syntax for GCP secret names. (At the time of writing, this is [0-9a-zA-Z_-]{1,255}).

        Parameters:
        purposeMapping - the purpose mapping function.
        Returns:
        this builder object.

      • purposeMapping

        public GoogleSecretManagerSecretStore.Builder purposeMapping​(Map<Purpose<?>,​String> purposeMapping)
        Specifies the GCP secret name to use for the given purpose. The default mapping uses the label of the purpose as the secret name, with all periods replaced with hyphens.

        Note: the secret names returned by the mapping must conform to the allowed syntax for GCP secret names. (At the time of writing, this is [0-9a-zA-Z_-]{1,255}).

        Parameters:
        purposeMapping - the purpose mapping.
        Returns:
        this builder object.

      • formatMapping

        public GoogleSecretManagerSecretStore.Builder formatMapping​(Function<Purpose<?>,​Optional<SecretDecoder>> formatMapping)
        Specifies a SecretDecoder to use to decode data returned by Secret Manager. By default the bytes returned from Secret Manager are used as the raw data of the secret. When a property format is specified for a given purpose then the data returned by Secret Manager is decoded with the given decoder. Return Optional.empty() to indicate that the default (raw) processing should be used.
        Parameters:
        formatMapping - a mapping that determines the format of secret data.
        Returns:
        this builder object.