Package org.forgerock.secrets.gcp.sm

Class GoogleSecretManagerSecretStore.Builder

java.lang.Object
org.forgerock.secrets.gcp.sm.GoogleSecretManagerSecretStore.Builder
Enclosing class:
GoogleSecretManagerSecretStore
public static class GoogleSecretManagerSecretStore.Builder extends Object
A builder class for configuring an instance of the GoogleSecretManagerSecretStore. The project name and clock must be specified.

  • Constructor Details

    • Builder

      public Builder()

  • Method Details

    • credentialsProvider

      public GoogleSecretManagerSecretStore.Builder credentialsProvider(com.google.api.gax.core.CredentialsProvider credentialsProvider)
      Set the provider for credentials for the connection to GCP. See javadoc on credentials(Credentials) for details on the available options.
      Parameters:
      credentialsProvider - the credentials provider.
      Returns:
      this builder.

    • credentials

      public GoogleSecretManagerSecretStore.Builder credentials(com.google.auth.Credentials credentials)
      Sets the fixed credentials to use for the connection to GCP. In most cases, using GoogleCredentials.getApplicationDefault() (or GoogleCredentials.getApplicationDefault(com.google.auth.http.HttpTransportFactory) making use of ChfHttpTransport from the secrets-backend-gcpkms maven module) is the right option as this will automatically pick up GCP credentials in many cases. If you need to manually specify credentials you can obtain these from the GCP Console and then either use ServiceAccountCredentials or else the Secrets API can also be used to obtain credentials by using the SecretsApiBearerTokenCredentials (the latter, from secrets-backend-gcpkms, allows the credentials to be rotated without recreating the secret store).
      Parameters:
      credentials - the credentials.
      Returns:
      this builder.

    • project

      public GoogleSecretManagerSecretStore.Builder project(String projectName)
      Specifies the GCP project name that contains the secrets.
      Parameters:
      projectName - the name of the GCP project.
      Returns:
      this builder object.

    • clock

      public GoogleSecretManagerSecretStore.Builder clock(Clock clock)
      Specifies the clock to use to determine when secrets will expire.
      Parameters:
      clock - the clock.
      Returns:
      this builder object.

    • expiryDuration

      public GoogleSecretManagerSecretStore.Builder expiryDuration(Duration duration)
      Specifies how long secrets retrieved from Secrets Manager can be cached by clients for. Defaults to 30 minutes.
      Parameters:
      duration - the maximum amount of time that clients can cache secrets for.
      Returns:
      this builder object.

    • purposeMapping

      public GoogleSecretManagerSecretStore.Builder purposeMapping(Function<Purpose<?>,String> purposeMapping)
      Specifies the GCP secret name to use for the given purpose. The default mapping uses the label of the purpose as the secret name, with all periods replaced with hyphens.

      Note: the secret names returned by the mapping must conform to the allowed syntax for GCP secret names. (At the time of writing, this is [0-9a-zA-Z_-]{1,255}).

      Parameters:
      purposeMapping - the purpose mapping function.
      Returns:
      this builder object.

    • purposeMapping

      public GoogleSecretManagerSecretStore.Builder purposeMapping(Map<Purpose<?>,String> purposeMapping)
      Specifies the GCP secret name to use for the given purpose. The default mapping uses the label of the purpose as the secret name, with all periods replaced with hyphens.

      Note: the secret names returned by the mapping must conform to the allowed syntax for GCP secret names. (At the time of writing, this is [0-9a-zA-Z_-]{1,255}).

      Parameters:
      purposeMapping - the purpose mapping.
      Returns:
      this builder object.

    • formatMapping

      public GoogleSecretManagerSecretStore.Builder formatMapping(Function<Purpose<?>,Optional<SecretDecoder>> formatMapping)
      Specifies a SecretDecoder to use to decode data returned by Secret Manager. By default the bytes returned from Secret Manager are used as the raw data of the secret. When a property format is specified for a given purpose then the data returned by Secret Manager is decoded with the given decoder. Return Optional.empty() to indicate that the default (raw) processing should be used.
      Parameters:
      formatMapping - a mapping that determines the format of secret data.
      Returns:
      this builder object.

    • useVersionOnlyStableId

      @Deprecated(since="27.1.0", forRemoval=true) public GoogleSecretManagerSecretStore.Builder useVersionOnlyStableId()
      Deprecated, for removal: This API element is subject to removal in a future version.
      this method is supplied to allow reverting to the original behaviour of using only the version part of the Secret Version name as the stable ID, however this is not recommended as it leads to stableIDs which match for many different secrets.
      Specifies to use only the secret version part of the Secret Version name as the stable ID, instead of using the full Secret Version name.
      Returns:
      this builder object.

    • acceptDeprecatedIDFormat

      @Deprecated(since="27.1.0", forRemoval=true) public GoogleSecretManagerSecretStore.Builder acceptDeprecatedIDFormat()
      Deprecated, for removal: This API element is subject to removal in a future version.
      this method is supplied to allow a smooth migration from the original behaviour of using only the version part of the Secret Version name as the stable ID and should be used only for a limited time during the migration. New applications should use the full stable ID mapping without fallback.
      Specifies to use the full Secret Version name as the stable ID, with a fallback to using only the version part of the Secret Version name if an existing stable ID is not a valid Secret Version name. This can be used to enable a smooth migration from the old behaviour of using only the version part of the Secret Version.
      Returns:
      this builder object.

    • build

      public GoogleSecretManagerSecretStore build()
      Builds the GoogleSecretManagerSecretStore based on the current configuration of the builder.
      Returns:
      the constructed secret store.
      Throws:
      IllegalArgumentException - if any configuration options are missing or incorrect.