Package org.forgerock.secrets.gcp.sm

Class GoogleSecretManagerSecretStore.Builder

java.lang.Object
org.forgerock.secrets.gcp.sm.GoogleSecretManagerSecretStore.Builder
Enclosing class:
GoogleSecretManagerSecretStore
public static class GoogleSecretManagerSecretStore.Builder extends Object
A builder class for configuring an instance of the GoogleSecretManagerSecretStore. The project name and clock must be specified.

  • Constructor Details

    • Builder

      public Builder()

  • Method Details

    • credentialsProvider

      public GoogleSecretManagerSecretStore.Builder credentialsProvider(com.google.api.gax.core.CredentialsProvider credentialsProvider)
      Set the provider for credentials for the connection to GCP. See javadoc on credentials(Credentials) for details on the available options.
      Parameters:
      credentialsProvider - the credentials provider.
      Returns:
      this builder.

    • credentials

      public GoogleSecretManagerSecretStore.Builder credentials(com.google.auth.Credentials credentials)
      Sets the fixed credentials to use for the connection to GCP. In most cases, using GoogleCredentials.getApplicationDefault() (or GoogleCredentials.getApplicationDefault(com.google.auth.http.HttpTransportFactory) making use of ChfHttpTransport from the secrets-backend-gcpkms maven module) is the right option as this will automatically pick up GCP credentials in many cases. If you need to manually specify credentials you can obtain these from the GCP Console and then either use ServiceAccountCredentials or else the Secrets API can also be used to obtain credentials by using the SecretsApiBearerTokenCredentials (the latter, from secrets-backend-gcpkms, allows the credentials to be rotated without recreating the secret store).
      Parameters:
      credentials - the credentials.
      Returns:
      this builder.

    • project

      public GoogleSecretManagerSecretStore.Builder project(String projectName)
      Specifies the GCP project name that contains the secrets.
      Parameters:
      projectName - the name of the GCP project.
      Returns:
      this builder object.

    • clock

      public GoogleSecretManagerSecretStore.Builder clock(Clock clock)
      Specifies the clock to use to determine when secrets will expire.
      Parameters:
      clock - the clock.
      Returns:
      this builder object.

    • expiryDuration

      public GoogleSecretManagerSecretStore.Builder expiryDuration(Duration duration)
      Specifies how long secrets retrieved from Secrets Manager can be cached by clients for. Defaults to 30 minutes.
      Parameters:
      duration - the maximum amount of time that clients can cache secrets for.
      Returns:
      this builder object.

    • purposeMapping

      public GoogleSecretManagerSecretStore.Builder purposeMapping(Function<Purpose<?>,String> purposeMapping)
      Specifies the GCP secret name to use for the given purpose. The default mapping uses the label of the purpose as the secret name, with all periods replaced with hyphens.

      Note: the secret names returned by the mapping must conform to the allowed syntax for GCP secret names. (At the time of writing, this is [0-9a-zA-Z_-]{1,255}).

      Parameters:
      purposeMapping - the purpose mapping function.
      Returns:
      this builder object.

    • purposeMapping

      public GoogleSecretManagerSecretStore.Builder purposeMapping(Map<Purpose<?>,String> purposeMapping)
      Specifies the GCP secret name to use for the given purpose. The default mapping uses the label of the purpose as the secret name, with all periods replaced with hyphens.

      Note: the secret names returned by the mapping must conform to the allowed syntax for GCP secret names. (At the time of writing, this is [0-9a-zA-Z_-]{1,255}).

      Parameters:
      purposeMapping - the purpose mapping.
      Returns:
      this builder object.

    • formatMapping

      public GoogleSecretManagerSecretStore.Builder formatMapping(Function<Purpose<?>,Optional<SecretDecoder>> formatMapping)
      Specifies a SecretDecoder to use to decode data returned by Secret Manager. By default the bytes returned from Secret Manager are used as the raw data of the secret. When a property format is specified for a given purpose then the data returned by Secret Manager is decoded with the given decoder. Return Optional.empty() to indicate that the default (raw) processing should be used.
      Parameters:
      formatMapping - a mapping that determines the format of secret data.
      Returns:
      this builder object.

    • build

      public GoogleSecretManagerSecretStore build()
      Builds the GoogleSecretManagerSecretStore based on the current configuration of the builder.
      Returns:
      the constructed secret store.
      Throws:
      IllegalArgumentException - if any configuration options are missing or incorrect.