SystemAndEnvSecretStore
Manage a store of secrets from system properties and environment variables.
This secret store can manage GenericSecret and CryptoKey secret types when used with dedicated formats.
A secret ID must conform to the convention described in secret-id. The reference is then transformed to match the environment variable name, as follows:
-
Periods (.) are converted to underscores.
-
Characters are transformed to uppercase.
For example, my.secret.id
is transformed to MY_SECRET_ID
.
The secrets provider queries the SystemAndEnvSecretStore for a named secret, identified by the name of a system property or environment variable. The SystemAndEnvSecretStore returns a secret that exactly matches the name.
The secrets provider builds the secret, checking that the secret’s constraints are met, and returns a unique secret. If the secret’s constraints are not met, the secrets provider cannot build the secret and the secret query fails.
For a description of how secrets are managed, refer to About secrets
Usage
{
"name": string,
"type": "SystemAndEnvSecretStore",
"config": {
"format": SecretPropertyFormat reference,
"mappings": [ object, ... ],
"leaseExpiry": configuration expression<duration>
}
}
Properties
format
: SecretPropertyFormat reference, optional-
Format in which the secret is stored. Use one of the following values, or define a format:
-
BASE64
: Base64-encoded -
PLAIN
: Plain text
Default:
BASE64
-
"mappings"
: array of objects, optional-
One or more mappings to define a secret:
secretId
: configuration expression<secret-id>, required-
The ID of the secret used in your configuration.
format
: SecretPropertyFormat reference, required-
The format and algorithm of the secret. Use SecretKeyPropertyFormat or PemPropertyFormat.
"leaseExpiry"
: configuration expression<duration>, optional-
The amount of time that secrets produced by this store can be cached before they must be refreshed.
If the duration is
zero
orunlimited
, PingGateway issues a warning, and uses the default value.Default: 5 minutes
Log level
To facilitate debugging secrets for the SystemAndEnvSecretStore, in
logback.xml
add a logger defined by the fully qualified package name
of the property resolver. The following line in logback.xml
sets the
log level to ALL
:
<logger name="org.forgerock.secrets.propertyresolver" level="ALL">
Example
For an example of how to uses a SystemAndEnvSecretStore to manage a password, refer to the example in Authenticate with SSO through the default authentication service