Package org.forgerock.secrets.vault

Class JwtAuthenticationTokenStore

java.lang.Object
org.forgerock.secrets.vault.JwtAuthenticationTokenStore
All Implemented Interfaces:
SecretStore<GenericSecret>
public final class JwtAuthenticationTokenStore extends Object
A secret store that authenticates to Vault using a JWT. This can be used with either the Vault JWT/OIDC authentication backend (making use of the SignedJwtSecretStore) or the Kubernetes authentication backend, in which case the JWT is the Kubernetes service account token read from the filesystem using the PropertyResolverSecretStore.

  • Method Details

    • createTokenReference

      public static SecretReference<GenericSecret> createTokenReference(String role, SecretReference<GenericSecret> secretReference, VaultConfig config)
      Returns a SecretReference that will obtain a Vault login token by logging in with the given JWT.
      Parameters:
      role - the role to login as.
      secretReference - a reference to obtain a JWT for logging in.
      config - the configuration options. See VaultConfig.
      Returns:
      a secret reference that will obtain a Vault login token using JWT or Kubernetes service account authentication.

    • getStoredType

      public Class<GenericSecret> getStoredType()
      Description copied from interface: SecretStore
      The top-level class that this store is capable of storing. This is a reification of the type parameter and can be used to lookup stores for a given type.
      Specified by:
      getStoredType in interface SecretStore<GenericSecret>
      Returns:
      the top-most type that this store is capable of storing, typically either CryptoKey for key-stores, GenericSecret for password stores, or Secret if the store is capable of storing any type of secret.

    • getActive

      public <S extends GenericSecret> Promise<S,NoSuchSecretException> getActive(Purpose<S> purpose)
      Description copied from interface: SecretStore
      Returns the active secret for the given purpose.
      Specified by:
      getActive in interface SecretStore<GenericSecret>
      Type Parameters:
      S - the type of secret.
      Parameters:
      purpose - the purpose for which a secret is required.
      Returns:
      the active secret from this store.

    • getNamed

      public <S extends GenericSecret> Promise<S,NoSuchSecretException> getNamed(Purpose<S> purpose, String name)
      Description copied from interface: SecretStore
      Returns the named secret from this store. The default implementation calls SecretStore.getValid(Purpose) and then returns the first valid key with a matching stable ID.
      Specified by:
      getNamed in interface SecretStore<GenericSecret>
      Type Parameters:
      S - the type of secret.
      Parameters:
      purpose - the secret purpose.
      name - the name (stable id) of the secret.
      Returns:
      a promise for the named secret, or a NoSuchSecretException promise if no such secret exists.

    • getValid

      public <S extends GenericSecret> Promise<Stream<S>,NeverThrowsException> getValid(Purpose<S> purpose)
      Description copied from interface: SecretStore
      Returns all valid secrets for the given purpose from this store.
      Specified by:
      getValid in interface SecretStore<GenericSecret>
      Type Parameters:
      S - the type of secret.
      Parameters:
      purpose - the purpose.
      Returns:
      a stream of all valid secrets of the given type from this store, or an empty stream if none exist.

    • refresh

      public void refresh()
      Description copied from interface: SecretStore
      Indicates that the store should refresh its secrets from the backing storage mechanism. This can be used to cause reload of a store after a secret rotation if the backend does not automatically detect such changes. Refresh may be an asynchronous operation and no guarantees are made about when clients of this secret store may see updated secrets after a call to refresh.
      Specified by:
      refresh in interface SecretStore<GenericSecret>