目录
[■AWS中的【Secrets Manager】使用](#■AWS中的【Secrets Manager】使用)
[■AWS中的【Secrets Manager】中的【secret】](#■AWS中的【Secrets Manager】中的【secret】)
■AWS中的【Secrets Manager】使用
DB的密码,主机,等信息,可以通过AWS中的【Secrets Manager】,设置在【secret】
=========
====
■AWS中的【Secrets Manager】中的【secret】
name:secret-rotation-test/rds/postgres
===
■运行示例(JSON)
====
Groovy
{
"username": "test",
"password": "5Xxxxxxxxxx",
"engine": "postgres",
"host": "secrets-rotation-test.cluster-xxxxxxxxx",
"port": "5432",
"dbClusterIdentifier": "secrets-rotation-test"
}====
■从Java中获取Key值
====
ID
secret-rotation-test/rds/postgres
====
java
import com.fasterxml.jackson.databind.ObjectMapper;
import software.amazon.awssdk.auth.credentials.DefaultCredentialsProvider;
import software.amazon.awssdk.regions.Region;
import software.amazon.awssdk.services.secretsmanager.SecretsManagerClient;
import software.amazon.awssdk.services.secretsmanager.model.GetSecretValueRequest;
import software.amazon.awssdk.services.secretsmanager.model.GetSecretValueResponse;
import software.amazon.awssdk.services.secretsmanager.model.SecretsManagerException;
import java.io.IOException;
import java.util.Map;
public class AwsSecretSingleKeyRetriever {
private static final ObjectMapper OBJECT_MAPPER = new ObjectMapper();
public static void main(String[] args) {
// 和上图关联
String secretName = "secret-rotation-test/rds/postgres";
Region region = Region.US_EAST_1; // 修改为实际区域
String key = "username"; // 要提取的key
try {
String value = getSecretValueByKey(secretName, region, key);
System.out.println("Value for key '" + key + "': " + value);
} catch (Exception e) {
System.err.println("Error: " + e.getMessage());
e.printStackTrace();
}
}
/**
* 从AWS Secrets Manager获取指定secret中特定key的值
*
* @param secretName secret名称或ARN
* @param region AWS区域
* @param key 要提取的JSON键
* @return 对应的值
*/
public static String getSecretValueByKey(String secretName, Region region, String key) {
SecretsManagerClient client = null;
try {
client = SecretsManagerClient.builder()
.region(region)
.credentialsProvider(DefaultCredentialsProvider.create())
.build();
GetSecretValueRequest request = GetSecretValueRequest.builder()
.secretId(secretName)
.build();
GetSecretValueResponse response = client.getSecretValue(request);
String secretString = response.secretString();
if (secretString == null) {
throw new RuntimeException("Secret is binary, not string.");
}
// 将JSON字符串解析为Map
Map<String, String> secretMap = OBJECT_MAPPER.readValue(
secretString,
new com.fasterxml.jackson.core.type.TypeReference<Map<String, String>>() {}
);
// 获取指定key的值
String value = secretMap.get(key);
if (value == null) {
throw new RuntimeException("Key '" + key + "' not found in secret.");
}
return value;
} catch (SecretsManagerException e) {
throw new RuntimeException("AWS Secrets Manager error: " + e.awsErrorDetails().errorMessage(), e);
} catch (IOException e) {
throw new RuntimeException("Failed to parse secret JSON: " + e.getMessage(), e);
} finally {
if (client != null) {
client.close();
}
}
}
}■Maven
XML
<dependency>
<groupId>software.amazon.awssdk</groupId>
<artifactId>secretsmanager</artifactId>
<version>2.20.0</version>
</dependency>
<dependency>
<groupId>com.fasterxml.jackson.core</groupId>
<artifactId>jackson-databind</artifactId>
<version>2.15.2</version>
</dependency>■Gradle
======
Groovy
implementation 'software.amazon.awssdk:secretsmanager:2.20.0'
implementation 'com.fasterxml.jackson.core:jackson-databind:2.15.2'====
■关键说明
-
凭证配置 :代码使用
DefaultCredentialsProvider.create(),会自动从环境变量、系统属性、AWS 配置文件(~/.aws/credentials)或 EC2 实例元数据等位置读取凭证。确保您的运行环境已正确配置。 -
区域指定 :
Region.CN_NORTHWEST_1仅为示例,请替换为您的 Secret 实际所在的区域。 -
Secret 格式 :Secret 必须是 JSON 字符串,例如
{"username":"admin","password":"123456"}。如果是二进制 Secret,则需要使用response.secretBinary()并自行解码。 -
异常处理:代码捕获了 SDK 异常和 JSON 解析异常,并转为运行时异常,您可以根据需要调整处理方式。
===