AWS SDK for Java 2.x - AWS Secrets Manager Overview AWS Secrets Manager helps you protect secrets needed to access your applications, services, and IT resources. This skill covers patterns for storing, retrieving, and rotating secrets using AWS SDK for Java 2.x, including Spring Boot integration and caching strategies. When to Use Use this skill when: Storing and retrieving application secrets programmatically Managing database credentials securely without hardcoding Implementing automatic secret rotation with Lambda functions Integrating AWS Secrets Manager with Spring Boot applications Setting up secret caching for improved performance Creating secure configuration management systems Working with multi-region secret deployments Implementing audit logging for secret access Instructions Follow these steps to work with AWS Secrets Manager: Add Dependencies - Include secretsmanager dependency and caching library Create Client - Instantiate SecretsManagerClient with proper configuration Store Secrets - Use createSecret() to store new secrets Retrieve Secrets - Use getSecretValue() to fetch secrets Implement Caching - Use SecretCache for improved performance Configure Rotation - Set up automatic rotation schedules Integrate with Spring - Configure beans and property sources Monitor Access - Enable CloudTrail logging for audit trails Dependencies Maven < dependency
< groupId
software.amazon.awssdk </ groupId
< artifactId
secretsmanager </ artifactId
</ dependency
- <
- dependency
- >
- <
- groupId
- >
- com.amazonaws.secretsmanager
- </
- groupId
- >
- <
- artifactId
- >
- aws-secretsmanager-caching-java
- </
- artifactId
- >
- <
- version
- >
- 2.0.0
- </
- version
- >
- // Use the sdk v2 compatible version
- </
- dependency
- >
- Gradle
- implementation
- 'software.amazon.awssdk:secretsmanager'
- implementation
- 'com
- .
- amazonaws
- .
- secretsmanager
- :
- aws
- -
- secretsmanager
- -
- caching
- -
- java
- :
- 2.0
- .
- 0
- Quick Start
- Basic Client Setup
- import
- software
- .
- amazon
- .
- awssdk
- .
- regions
- .
- Region
- ;
- import
- software
- .
- amazon
- .
- awssdk
- .
- services
- .
- secretsmanager
- .
- SecretsManagerClient
- ;
- SecretsManagerClient
- secretsClient
- =
- SecretsManagerClient
- .
- builder
- (
- )
- .
- region
- (
- Region
- .
- US_EAST_1
- )
- .
- build
- (
- )
- ;
- Store a Secret
- import
- software
- .
- amazon
- .
- awssdk
- .
- services
- .
- secretsmanager
- .
- model
- .
- *
- ;
- public
- String
- createSecret
- (
- String
- secretName
- ,
- String
- secretValue
- )
- {
- CreateSecretRequest
- request
- =
- CreateSecretRequest
- .
- builder
- (
- )
- .
- name
- (
- secretName
- )
- .
- secretString
- (
- secretValue
- )
- .
- build
- (
- )
- ;
- CreateSecretResponse
- response
- =
- secretsClient
- .
- createSecret
- (
- request
- )
- ;
- return
- response
- .
- arn
- (
- )
- ;
- }
- Retrieve a Secret
- public
- String
- getSecretValue
- (
- String
- secretName
- )
- {
- GetSecretValueRequest
- request
- =
- GetSecretValueRequest
- .
- builder
- (
- )
- .
- secretId
- (
- secretName
- )
- .
- build
- (
- )
- ;
- GetSecretValueResponse
- response
- =
- secretsClient
- .
- getSecretValue
- (
- request
- )
- ;
- return
- response
- .
- secretString
- (
- )
- ;
- }
- Core Operations
- Secret Management
- Create secrets with
- createSecret()
- Retrieve secrets with
- getSecretValue()
- Update secrets with
- updateSecret()
- Delete secrets with
- deleteSecret()
- List secrets with
- listSecrets()
- Restore deleted secrets with
- restoreSecret()
- Secret Versioning
- Access specific versions by
- versionId
- Access versions by stage (e.g., "AWSCURRENT", "AWSPENDING")
- Automatically manage version history
- Secret Rotation
- Configure automatic rotation schedules
- Lambda-based rotation functions
- Immediate rotation with
- rotateSecret()
- Caching for Performance
- Setup Cache
- import
- com
- .
- amazonaws
- .
- secretsmanager
- .
- caching
- .
- SecretCache
- ;
- public
- class
- CachedSecrets
- {
- private
- final
- SecretCache
- cache
- ;
- public
- CachedSecrets
- (
- SecretsManagerClient
- secretsClient
- )
- {
- this
- .
- cache
- =
- new
- SecretCache
- (
- secretsClient
- )
- ;
- }
- public
- String
- getCachedSecret
- (
- String
- secretName
- )
- {
- return
- cache
- .
- getSecretString
- (
- secretName
- )
- ;
- }
- }
- Cache Configuration
- import
- com
- .
- amazonaws
- .
- secretsmanager
- .
- caching
- .
- SecretCacheConfiguration
- ;
- SecretCacheConfiguration
- config
- =
- SecretCacheConfiguration
- .
- builder
- (
- )
- .
- maxCacheSize
- (
- 1000
- )
- .
- cacheItemTTL
- (
- 3600000
- )
- // 1 hour
- .
- build
- (
- )
- ;
- Spring Boot Integration
- Configuration
- @Configuration
- public
- class
- SecretsManagerConfiguration
- {
- @Bean
- public
- SecretsManagerClient
- secretsManagerClient
- (
- )
- {
- return
- SecretsManagerClient
- .
- builder
- (
- )
- .
- region
- (
- Region
- .
- of
- (
- region
- )
- )
- .
- build
- (
- )
- ;
- }
- @Bean
- public
- SecretCache
- secretCache
- (
- SecretsManagerClient
- secretsClient
- )
- {
- return
- new
- SecretCache
- (
- secretsClient
- )
- ;
- }
- }
- Service Layer
- @Service
- public
- class
- SecretsService
- {
- private
- final
- SecretCache
- cache
- ;
- public
- SecretsService
- (
- SecretCache
- cache
- )
- {
- this
- .
- cache
- =
- cache
- ;
- }
- public
- <
- T
- >
- T
- getSecretAsObject
- (
- String
- secretName
- ,
- Class
- <
- T
- >
- type
- )
- {
- String
- secretJson
- =
- cache
- .
- getSecretString
- (
- secretName
- )
- ;
- return
- objectMapper
- .
- readValue
- (
- secretJson
- ,
- type
- )
- ;
- }
- }
- Database Configuration
- @Configuration
- public
- class
- DatabaseConfiguration
- {
- @Bean
- public
- DataSource
- dataSource
- (
- SecretsService
- secretsService
- )
- {
- Map
- <
- String
- ,
- String
- >
- credentials
- =
- secretsService
- .
- getSecretAsMap
- (
- "prod/database/credentials"
- )
- ;
- HikariConfig
- config
- =
- new
- HikariConfig
- (
- )
- ;
- config
- .
- setJdbcUrl
- (
- credentials
- .
- get
- (
- "url"
- )
- )
- ;
- config
- .
- setUsername
- (
- credentials
- .
- get
- (
- "username"
- )
- )
- ;
- config
- .
- setPassword
- (
- credentials
- .
- get
- (
- "password"
- )
- )
- ;
- return
- new
- HikariDataSource
- (
- config
- )
- ;
- }
- }
- Examples
- Database Credentials Structure
- {
- "engine"
- :
- "postgres"
- ,
- "host"
- :
- "mydb.us-east-1.rds.amazonaws.com"
- ,
- "port"
- :
- 5432
- ,
- "username"
- :
- "admin"
- ,
- "password"
- :
- "MySecurePassword123!"
- ,
- "dbname"
- :
- "mydatabase"
- ,
- "url"
- :
- "jdbc:postgresql://mydb.us-east-1.rds.amazonaws.com:5432/mydatabase"
- }
- API Keys Structure
- {
- "api_key"
- :
- "abcd1234-5678-90ef-ghij-klmnopqrstuv"
- ,
- "api_secret"
- :
- "MySecretKey123!"
- ,
- "api_token"
- :
- "Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."
- }
- Common Patterns
- Error Handling
- try
- {
- String
- secret
- =
- secretsClient
- .
- getSecretValue
- (
- request
- )
- .
- secretString
- (
- )
- ;
- }
- catch
- (
- SecretsManagerException
- e
- )
- {
- if
- (
- e
- .
- awsErrorDetails
- (
- )
- .
- errorCode
- (
- )
- .
- equals
- (
- "ResourceNotFoundException"
- )
- )
- {
- // Handle missing secret
- }
- throw
- e
- ;
- }
- Batch Operations
- List
- <
- String
- >
- secretNames
- =
- List
- .
- of
- (
- "secret1"
- ,
- "secret2"
- ,
- "secret3"
- )
- ;
- Map
- <
- String
- ,
- String
- >
- secrets
- =
- secretNames
- .
- stream
- (
- )
- .
- collect
- (
- Collectors
- .
- toMap
- (
- Function
- .
- identity
- (
- )
- ,
- name
- ->
- cache
- .
- getSecretString
- (
- name
- )
- )
- )
- ;
- Best Practices
- Secret Management
- :
- Use descriptive secret names with hierarchical structure
- Implement versioning and rotation
- Add tags for organization and billing
- Caching
- :
- Always use caching in production environments
- Configure appropriate TTL values based on secret sensitivity
- Monitor cache hit rates
- Security
- :
- Never log secret values
- Use KMS encryption for sensitive secrets
- Implement least privilege IAM policies
- Enable CloudTrail logging
- Performance
- :
- Reuse SecretsManagerClient instances
- Use async operations when appropriate
- Monitor API throttling limits
- Spring Boot Integration
- :
- Use
- @Value
- annotations for secret names
- Implement proper exception handling
- Use configuration properties for secret names
- Testing Strategies
- Unit Testing
- @ExtendWith
- (
- MockitoExtension
- .
- class
- )
- class
- SecretsServiceTest
- {
- @Mock
- private
- SecretCache
- cache
- ;
- @InjectMocks
- private
- SecretsService
- secretsService
- ;
- @Test
- void
- shouldGetSecret
- (
- )
- {
- when
- (
- cache
- .
- getSecretString
- (
- "test-secret"
- )
- )
- .
- thenReturn
- (
- "secret-value"
- )
- ;
- String
- result
- =
- secretsService
- .
- getSecret
- (
- "test-secret"
- )
- ;
- assertEquals
- (
- "secret-value"
- ,
- result
- )
- ;
- }
- }
- Integration Testing
- @SpringBootTest
- (
- classes
- =
- TestSecretsConfiguration
- .
- class
- )
- class
- SecretsManagerIntegrationTest
- {
- @Autowired
- private
- SecretsService
- secretsService
- ;
- @Test
- void
- shouldRetrieveSecret
- (
- )
- {
- String
- secret
- =
- secretsService
- .
- getSecret
- (
- "test-secret"
- )
- ;
- assertNotNull
- (
- secret
- )
- ;
- }
- }
- Troubleshooting
- Common Issues
- Access Denied
-
- Check IAM permissions
- Resource Not Found
-
- Verify secret name and region
- Decryption Failure
-
- Ensure KMS key permissions
- Throttling
- Implement retry logic and backoff Debug Commands
Check secret exists
aws secretsmanager describe-secret --secret-id my-secret
List all secrets
aws secretsmanager list-secrets
Get secret value (CLI)
aws secretsmanager get-secret-value --secret-id my-secret References For detailed information and advanced patterns, see: API Reference - Complete API documentation Caching Guide - Performance optimization strategies Spring Boot Integration - Complete Spring integration patterns