aws-sdk-java-v2-secrets-manager
Compare original and translation side by side
🇺🇸
Original
English🇨🇳
Translation
ChineseAWS SDK for Java 2.x - AWS Secrets Manager
AWS SDK for Java 2.x - AWS Secrets Manager
When to Use
适用场景
Use this skill when:
- Storing and retrieving application secrets programmatically
- Managing database credentials securely without hardcoding
- Implementing automatic secret rotation with Lambda functions
- Integrating AWS Secrets Manager with Spring Boot applications
- Setting up secret caching for improved performance
- Creating secure configuration management systems
- Working with multi-region secret deployments
- Implementing audit logging for secret access
适用场景:
- 以编程方式存储和检索应用密钥
- 安全管理数据库凭证,避免硬编码
- 借助Lambda函数实现密钥自动轮换
- 将AWS Secrets Manager与Spring Boot应用集成
- 配置密钥缓存以提升性能
- 创建安全的配置管理系统
- 多区域密钥部署管理
- 实现密钥访问的审计日志
Dependencies
依赖配置
Maven
Maven
xml
<dependency>
<groupId>software.amazon.awssdk</groupId>
<artifactId>secretsmanager</artifactId>
</dependency>
<!-- For secret caching (recommended for production) -->
<dependency>
<groupId>com.amazonaws.secretsmanager</groupId>
<artifactId>aws-secretsmanager-caching-java</artifactId>
<version>2.0.0</version> // Use the sdk v2 compatible version
</dependency>xml
<dependency>
<groupId>software.amazon.awssdk</groupId>
<artifactId>secretsmanager</artifactId>
</dependency>
<!-- For secret caching (recommended for production) -->
<dependency>
<groupId>com.amazonaws.secretsmanager</groupId>
<artifactId>aws-secretsmanager-caching-java</artifactId>
<version>2.0.0</version> // Use the sdk v2 compatible version
</dependency>Gradle
Gradle
gradle
implementation 'software.amazon.awssdk:secretsmanager'
implementation 'com.amazonaws.secretsmanager:aws-secretsmanager-caching-java:2.0.0gradle
implementation 'software.amazon.awssdk:secretsmanager'
implementation 'com.amazonaws.secretsmanager:aws-secretsmanager-caching-java:2.0.0Quick Start
快速入门
Basic Client Setup
基础客户端配置
java
import software.amazon.awssdk.regions.Region;
import software.amazon.awssdk.services.secretsmanager.SecretsManagerClient;
SecretsManagerClient secretsClient = SecretsManagerClient.builder()
.region(Region.US_EAST_1)
.build();java
import software.amazon.awssdk.regions.Region;
import software.amazon.awssdk.services.secretsmanager.SecretsManagerClient;
SecretsManagerClient secretsClient = SecretsManagerClient.builder()
.region(Region.US_EAST_1)
.build();Store a Secret
存储密钥
java
import software.amazon.awssdk.services.secretsmanager.model.*;
public String createSecret(String secretName, String secretValue) {
CreateSecretRequest request = CreateSecretRequest.builder()
.name(secretName)
.secretString(secretValue)
.build();
CreateSecretResponse response = secretsClient.createSecret(request);
return response.arn();
}java
import software.amazon.awssdk.services.secretsmanager.model.*;
public String createSecret(String secretName, String secretValue) {
CreateSecretRequest request = CreateSecretRequest.builder()
.name(secretName)
.secretString(secretValue)
.build();
CreateSecretResponse response = secretsClient.createSecret(request);
return response.arn();
}Retrieve a Secret
检索密钥
java
public String getSecretValue(String secretName) {
GetSecretValueRequest request = GetSecretValueRequest.builder()
.secretId(secretName)
.build();
GetSecretValueResponse response = secretsClient.getSecretValue(request);
return response.secretString();
}java
public String getSecretValue(String secretName) {
GetSecretValueRequest request = GetSecretValueRequest.builder()
.secretId(secretName)
.build();
GetSecretValueResponse response = secretsClient.getSecretValue(request);
return response.secretString();
}Core Operations
核心操作
Secret Management
密钥管理
- Create secrets with
createSecret() - Retrieve secrets with
getSecretValue() - Update secrets with
updateSecret() - Delete secrets with
deleteSecret() - List secrets with
listSecrets() - Restore deleted secrets with
restoreSecret()
- 使用创建密钥
createSecret() - 使用检索密钥
getSecretValue() - 使用更新密钥
updateSecret() - 使用删除密钥
deleteSecret() - 使用列出密钥
listSecrets() - 使用恢复已删除的密钥
restoreSecret()
Secret Versioning
密钥版本管理
- Access specific versions by
versionId - Access versions by stage (e.g., "AWSCURRENT", "AWSPENDING")
- Automatically manage version history
- 通过访问特定版本
versionId - 通过阶段标识访问版本(例如:"AWSCURRENT", "AWSPENDING")
- 自动管理版本历史
Secret Rotation
密钥轮换
- Configure automatic rotation schedules
- Lambda-based rotation functions
- Immediate rotation with
rotateSecret()
- 配置自动轮换计划
- 基于Lambda的轮换函数
- 使用执行即时轮换
rotateSecret()
Caching for Performance
性能优化:缓存配置
Setup Cache
配置缓存
java
import com.amazonaws.secretsmanager.caching.SecretCache;
public class CachedSecrets {
private final SecretCache cache;
public CachedSecrets(SecretsManagerClient secretsClient) {
this.cache = new SecretCache(secretsClient);
}
public String getCachedSecret(String secretName) {
return cache.getSecretString(secretName);
}
}java
import com.amazonaws.secretsmanager.caching.SecretCache;
public class CachedSecrets {
private final SecretCache cache;
public CachedSecrets(SecretsManagerClient secretsClient) {
this.cache = new SecretCache(secretsClient);
}
public String getCachedSecret(String secretName) {
return cache.getSecretString(secretName);
}
}Cache Configuration
缓存配置参数
java
import com.amazonaws.secretsmanager.caching.SecretCacheConfiguration;
SecretCacheConfiguration config = SecretCacheConfiguration.builder()
.maxCacheSize(1000)
.cacheItemTTL(3600000) // 1 hour
.build();java
import com.amazonaws.secretsmanager.caching.SecretCacheConfiguration;
SecretCacheConfiguration config = SecretCacheConfiguration.builder()
.maxCacheSize(1000)
.cacheItemTTL(3600000) // 1 hour
.build();Spring Boot Integration
Spring Boot 集成
Configuration
配置类
java
@Configuration
public class SecretsManagerConfiguration {
@Bean
public SecretsManagerClient secretsManagerClient() {
return SecretsManagerClient.builder()
.region(Region.of(region))
.build();
}
@Bean
public SecretCache secretCache(SecretsManagerClient secretsClient) {
return new SecretCache(secretsClient);
}
}java
@Configuration
public class SecretsManagerConfiguration {
@Bean
public SecretsManagerClient secretsManagerClient() {
return SecretsManagerClient.builder()
.region(Region.of(region))
.build();
}
@Bean
public SecretCache secretCache(SecretsManagerClient secretsClient) {
return new SecretCache(secretsClient);
}
}Service Layer
服务层实现
java
@Service
public class SecretsService {
private final SecretCache cache;
public SecretsService(SecretCache cache) {
this.cache = cache;
}
public <T> T getSecretAsObject(String secretName, Class<T> type) {
String secretJson = cache.getSecretString(secretName);
return objectMapper.readValue(secretJson, type);
}
}java
@Service
public class SecretsService {
private final SecretCache cache;
public SecretsService(SecretCache cache) {
this.cache = cache;
}
public <T> T getSecretAsObject(String secretName, Class<T> type) {
String secretJson = cache.getSecretString(secretName);
return objectMapper.readValue(secretJson, type);
}
}Database Configuration
数据库配置
java
@Configuration
public class DatabaseConfiguration {
@Bean
public DataSource dataSource(SecretsService secretsService) {
Map<String, String> credentials = secretsService.getSecretAsMap(
"prod/database/credentials");
HikariConfig config = new HikariConfig();
config.setJdbcUrl(credentials.get("url"));
config.setUsername(credentials.get("username"));
config.setPassword(credentials.get("password"));
return new HikariDataSource(config);
}
}java
@Configuration
public class DatabaseConfiguration {
@Bean
public DataSource dataSource(SecretsService secretsService) {
Map<String, String> credentials = secretsService.getSecretAsMap(
"prod/database/credentials");
HikariConfig config = new HikariConfig();
config.setJdbcUrl(credentials.get("url"));
config.setUsername(credentials.get("username"));
config.setPassword(credentials.get("password"));
return new HikariDataSource(config);
}
}Examples
示例
Database Credentials Structure
数据库凭证结构
json
{
"engine": "postgres",
"host": "mydb.us-east-1.rds.amazonaws.com",
"port": 5432,
"username": "admin",
"password": "MySecurePassword123!",
"dbname": "mydatabase",
"url": "jdbc:postgresql://mydb.us-east-1.rds.amazonaws.com:5432/mydatabase"
}json
{
"engine": "postgres",
"host": "mydb.us-east-1.rds.amazonaws.com",
"port": 5432,
"username": "admin",
"password": "MySecurePassword123!",
"dbname": "mydatabase",
"url": "jdbc:postgresql://mydb.us-east-1.rds.amazonaws.com:5432/mydatabase"
}API Keys Structure
API密钥结构
json
{
"api_key": "abcd1234-5678-90ef-ghij-klmnopqrstuv",
"api_secret": "MySecretKey123!",
"api_token": "Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."
}json
{
"api_key": "abcd1234-5678-90ef-ghij-klmnopqrstuv",
"api_secret": "MySecretKey123!",
"api_token": "Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."
}Common Patterns
通用实现模式
Error Handling
错误处理
java
try {
String secret = secretsClient.getSecretValue(request).secretString();
} catch (SecretsManagerException e) {
if (e.awsErrorDetails().errorCode().equals("ResourceNotFoundException")) {
// Handle missing secret
}
throw e;
}java
try {
String secret = secretsClient.getSecretValue(request).secretString();
} catch (SecretsManagerException e) {
if (e.awsErrorDetails().errorCode().equals("ResourceNotFoundException")) {
// Handle missing secret
}
throw e;
}Batch Operations
批量操作
java
List<String> secretNames = List.of("secret1", "secret2", "secret3");
Map<String, String> secrets = secretNames.stream()
.collect(Collectors.toMap(
Function.identity(),
name -> cache.getSecretString(name)
));java
List<String> secretNames = List.of("secret1", "secret2", "secret3");
Map<String, String> secrets = secretNames.stream()
.collect(Collectors.toMap(
Function.identity(),
name -> cache.getSecretString(name)
));Best Practices
最佳实践
-
Secret Management:
- Use descriptive secret names with hierarchical structure
- Implement versioning and rotation
- Add tags for organization and billing
-
Caching:
- Always use caching in production environments
- Configure appropriate TTL values based on secret sensitivity
- Monitor cache hit rates
-
Security:
- Never log secret values
- Use KMS encryption for sensitive secrets
- Implement least privilege IAM policies
- Enable CloudTrail logging
-
Performance:
- Reuse SecretsManagerClient instances
- Use async operations when appropriate
- Monitor API throttling limits
-
Spring Boot Integration:
- Use annotations for secret names
@Value - Implement proper exception handling
- Use configuration properties for secret names
- Use
-
密钥管理:
- 使用具有层级结构的描述性密钥名称
- 实现版本控制与轮换机制
- 添加标签以便于组织管理和计费
-
缓存:
- 生产环境中务必使用缓存
- 根据密钥的敏感度配置合适的TTL值
- 监控缓存命中率
-
安全:
- 切勿记录密钥值
- 对敏感密钥使用KMS加密
- 实现最小权限原则的IAM策略
- 启用CloudTrail日志记录
-
性能:
- 复用SecretsManagerClient实例
- 合理使用异步操作
- 监控API限流阈值
-
Spring Boot集成:
- 使用注解注入密钥名称
@Value - 实现完善的异常处理
- 使用配置属性管理密钥名称
- 使用
Testing Strategies
测试策略
Unit Testing
单元测试
java
@ExtendWith(MockitoExtension.class)
class SecretsServiceTest {
@Mock
private SecretCache cache;
@InjectMocks
private SecretsService secretsService;
@Test
void shouldGetSecret() {
when(cache.getSecretString("test-secret")).thenReturn("secret-value");
String result = secretsService.getSecret("test-secret");
assertEquals("secret-value", result);
}
}java
@ExtendWith(MockitoExtension.class)
class SecretsServiceTest {
@Mock
private SecretCache cache;
@InjectMocks
private SecretsService secretsService;
@Test
void shouldGetSecret() {
when(cache.getSecretString("test-secret")).thenReturn("secret-value");
String result = secretsService.getSecret("test-secret");
assertEquals("secret-value", result);
}
}Integration Testing
集成测试
java
@SpringBootTest(classes = TestSecretsConfiguration.class)
class SecretsManagerIntegrationTest {
@Autowired
private SecretsService secretsService;
@Test
void shouldRetrieveSecret() {
String secret = secretsService.getSecret("test-secret");
assertNotNull(secret);
}
}java
@SpringBootTest(classes = TestSecretsConfiguration.class)
class SecretsManagerIntegrationTest {
@Autowired
private SecretsService secretsService;
@Test
void shouldRetrieveSecret() {
String secret = secretsService.getSecret("test-secret");
assertNotNull(secret);
}
}Troubleshooting
故障排查
Common Issues
常见问题
- Access Denied: Check IAM permissions
- Resource Not Found: Verify secret name and region
- Decryption Failure: Ensure KMS key permissions
- Throttling: Implement retry logic and backoff
- 访问被拒绝:检查IAM权限
- 资源未找到:验证密钥名称和区域
- 解密失败:确保KMS密钥权限配置正确
- 请求限流:实现重试与退避逻辑
Debug Commands
调试命令
bash
undefinedbash
undefinedCheck secret exists
Check secret exists
aws secretsmanager describe-secret --secret-id my-secret
aws secretsmanager describe-secret --secret-id my-secret
List all secrets
List all secrets
aws secretsmanager list-secrets
aws secretsmanager list-secrets
Get secret value (CLI)
Get secret value (CLI)
aws secretsmanager get-secret-value --secret-id my-secret
undefinedaws secretsmanager get-secret-value --secret-id my-secret
undefinedReferences
参考资料
For detailed information and advanced patterns, see:
- API Reference - Complete API documentation
- Caching Guide - Performance optimization strategies
- Spring Boot Integration - Complete Spring integration patterns
如需了解详细信息和进阶使用方案,请参考:
- API参考文档 - 完整的API文档
- 缓存指南 - 性能优化策略
- Spring Boot集成指南 - 完整的Spring集成方案
Related Skills
相关技能
- - Core AWS SDK patterns and best practices
aws-sdk-java-v2-core - - KMS encryption and key management
aws-sdk-java-v2-kms - - Spring dependency injection patterns
spring-boot-dependency-injection
- - AWS SDK核心使用方案与最佳实践
aws-sdk-java-v2-core - - KMS加密与密钥管理
aws-sdk-java-v2-kms - - Spring依赖注入方案
spring-boot-dependency-injection