Base64EncodedSecretStore
Manage a repository of generic secrets, such as passwords or simple shared secrets, whose values are base64-encoded, and hard-coded in the route.
This Secret store can only manage the GenericSecret type.
The secrets provider queries the Base64EncodedSecretStore for a named secret,
identified by the secret-id
in the "secret-id": "string"
pair. The
Base64EncodedSecretStore returns the matching secret.
The secrets provider builds the secret, checking that the secret’s constraints are met, and returns a unique secret. If the secret’s constraints are not met, the secrets provider cannot build the secret and the secret query fails.
Secrets from Base64EncodedSecretStore never expire.
Use Base64EncodedSecretStore for testing or evaluation only, to store passwords locally. In production, use an alternative secret store. |
For a description of how secrets are managed, refer to About secrets
Usage
{
"name": string,
"type": "Base64EncodedSecretStore",
"config": {
"secrets": map or configuration expression<map>
}
}
Properties
"secrets"
: map or configuration expression<map>, required-
Map of one or more data pairs with the format
Map<String, String>
, where:-
The key is the ID of a secret used in a route
-
The value is the base64-encoded value of a secret, or a configuration expression that evaluates to the base64-encoded value of a secret
The following formats are allowed:
{ "secrets": { "secret-id": "configuration expression<string>", ... } }
{ "secrets": "configuration expression<map>" }
In the following example, the property is a map whose values are provided by strings:
{ "type": "Base64EncodedSecretStore", "config": { "secrets": { "agent.password": "d2VsY29tZQ==", "crypto.header.key": "Y2hhbmdlaXQ=" } } }
In the following example, the property is a map whose values are provided by a configuration token and a configuration expression. The values are substituted when the route is loaded:
{ "type": "Base64EncodedSecretStore", "config": { "secrets": { "agent.password": "&{secret.value|aGVsbG8=}", "crypto.header.key": "${readProperties('file.property')['b64.key.value']}" } } }
-
Log level
To facilitate debugging secrets for the Base64EncodedSecretStore, in
logback.xml
add a logger defined by the fully qualified package name
of the Base64EncodedSecretStore. The following line in logback.xml
sets the log level to ALL
:
<logger name="org.forgerock.openig.secrets.Base64EncodedSecretStore" level="ALL">
Example
For an example that uses Base64EncodedSecretStore, refer to client-credentials.json
in
Using OAuth 2.0 client credentials.