Secret Managers

Several ways to provide database credential are supported.

Raw

Database credentials can be provided as raw unencrypted values:

{
  "type": "raw",
  "value": "${SOURCE_PASSWORD}"
}

Where:

  • type: The password provider type

  • value: raw password value

Google Secret Manager

Database credentials can be requested from Google Secret Manager:

{
  "type": "gcp",
  "project": "${GCP_PROJECT_ID}",
  "secret": "${SECRET_ID}",
  "version": "${VERSION_ID}"
}

Where:

  • type: The password provider type

  • project: GCP project ID

  • secret: Secret Manager secret ID

  • version: (optional, default – latest) Secret Manager secret version ID

Note

SECRETS_GCP_SECRET_MANAGER_ENABLED property should be enabled, see Application properties

AWS Secrets Manager

Database credentials can be requested from AWS Secrets Manager:

{
  "type": "aws",
  "secret": "${SECRET_ID}",
  "version": "${VERSION_ID}"
}

Where:

  • type: The password provider type

  • secret - The ARN or name of the secret to retrieve

  • version (optional) - The unique identifier of the version of the secret to retrieve If you don’t specify the version, then the AWSCURRENT version is used.

Note

SECRETS_AWS_SECRET_MANAGER_ENABLED property should be enabled, see Application properties

Hashicorp Vault

Database credentials can be requested from Hashicorp Vault:

{
  "type": "vault",
  "storage": "${STORAGE_ID}",
  "path": "${PATH_ID}",
  "secret": "${SECRET_ID}",
  "versioned": "${IS_VERSIONED}",
  "version": "${VERSION_ID}"
}

Where:

  • type: The password provider type

  • storage: The name of the secret storage (e.g. "secret", "database", "cubbyhole", etc)

  • path: The mount path of the secret

  • secret: The name of the secret to retrieve

  • versioned: Indicates if the current secret storage is versioned ("false" by default)

  • version: The unique identifier of the version of the secret to retrieve. Using 0 as the default value for the current version

Note

SECRETS_VAULT_SECRET_MANAGER_ENABLED property should be enabled, see Application properties

For more information and examples, please refer to the Hashicorp Vault as a Secret Manager tutorial page.