Package org.forgerock.openam.secrets.config

Interface GoogleSecretManagerSecretStoreProvider

All Superinterfaces:

BaseSecretStoreProvider, LockedSecretStoreProvider, org.forgerock.openam.secrets.SecretStoreWithMappings

@EvolvingAll
public interface GoogleSecretManagerSecretStoreProvider
extends LockedSecretStoreProvider, org.forgerock.openam.secrets.SecretStoreWithMappings

Provides support for fetching secrets from Google Secret Manager.

Nested Class Summary

Nested Classes

Modifier and Type	Interface	Description
static interface	GoogleSecretManagerSecretStoreProvider.GoogleSecretStoreTransformer	Custom transformers that can be implemented and loaded with a service loader to customise how the GSM secret store is built.

Field Summary

Fields

Modifier and Type	Field	Description
static final org.slf4j.Logger	logger

Method Summary

Modifier and Type	Method	Description
default long	expiryDurationSeconds()	The amount of time in seconds to allow secret values to be cached before re-fetching them from GSM.
default SecretStore<? extends Secret>	getStore(SecretStoreContext context, SecretsReferenceProvider secretsReferenceProvider)	Get the commons SecretStore instance for this instance.
String	id()	Get the sub-configuration identifier for this secret store instance.
Multiple<PurposeMapping>	mappings()	Maps Purpose labels to Google SM secret names.
String	project()	The Google Cloud Platform project that the instance of Secret Manager lives in.
default PropertyFormat	secretFormat()	The format of the secret data to use when decoding the secret value.
default String	serviceAccount()	The GCP service account to use for accessing the Secret Manager.

Field Details

logger

static final org.slf4j.Logger logger

Method Details

id

String id()

Get the sub-configuration identifier for this secret store instance.

Specified by:

id in interface BaseSecretStoreProvider

Returns:

The identifier.

project

String project()

The Google Cloud Platform project that the instance of Secret Manager lives in.

Returns:

the GCP project to look for the Secret Manager instance in.

serviceAccount

default String serviceAccount()

The GCP service account to use for accessing the Secret Manager. Alternative service accounts can be configured in the global GoogleCloudServiceAccountService.

Returns:

the name of the service account to use.

secretFormat

default PropertyFormat secretFormat()

The format of the secret data to use when decoding the secret value.

Returns:

the property format to use.

expiryDurationSeconds

default long expiryDurationSeconds()

The amount of time in seconds to allow secret values to be cached before re-fetching them from GSM.

Returns:

the amount of time in seconds before a secret value expires.

mappings

Multiple<PurposeMapping> mappings()

Maps Purpose labels to Google SM secret names. The mapping may include a {{realm}} placeholder, which will be replaced with the path of the current realm. This allows the same mapping to be used to map different secrets in different realms.

Returns:

the purpose mapping.

getStore

default SecretStore<? extends Secret> getStore(SecretStoreContext context,
 SecretsReferenceProvider secretsReferenceProvider)
                                        throws SecretException

Description copied from interface: LockedSecretStoreProvider

Get the commons SecretStore instance for this instance.

Specified by:

getStore in interface LockedSecretStoreProvider

Parameters:

context - The context in which the store is being created.

secretsReferenceProvider - A provider of secret references that can be used to obtain secrets that are needed to unlock the SecretStore.

Returns:

The instance.

Throws:

SecretException - If the store cannot be constructed for some reason.