FileSystemSecretStore

Manage a store of secrets held in files, specified as follows:

Each file must contain only one secret.
The file must be in the directory specified by the property directory.
The filename must match the mappings property secretId.
The file content must match the mappings property format. For example, if the mapping specifies BASE64, the file content must be base64-encoded.

Secrets are read lazily from the filesystem.

For a description of how secrets are managed, see About Secrets.

Usage

{
  "name": string,
  "type": "FileSystemSecretStore",
  "config": {
    "directory": configuration expression<string>,
    "format": configuration expression<enumeration>,
    "suffix": configuration expression<string>,
    "mappings": [ configuration object, ... ],
    "leaseExpiry": configuration expression<duration>
  }
}

Properties

"directory": configuration expression<string>, required: File path to a directory containing secret files. This object checks the specified directory, but not its subdirectories.

"format": configuration expression<enumeration>, optional

Format in which the secret is stored. Use one of the following values:

BASE64: Base64-encoded
PLAIN: Plain text

Default: BASE64

"suffix": configuration expression<string>, optional

File suffix.

When set, the FileSystemSecretStore will append that suffix to the secret ID and try to find a file with the mapped name.

Default: None

"mappings": array of objects, optional

One or more mappings to define a secret:

secretId: configuration expression<secret-id>, required: The ID of the secret used in your configuration.
format: SecretPropertyFormat reference, required: The format and algorithm of the secret. Use SecretKeyPropertyFormat or PemPropertyFormat.

"leaseExpiry": configuration expression<duration>, optional: The amount of time that secrets produced by this store can be cached before they must be refreshed.

If the duration is zero or unlimited, IG issues a warning, and uses the default value.

Default: 5 minutes

Log Level

To facilitate debugging secrets for the FileSystemSecretStore, in logback.xml add a logger defined by the fully qualified package name of the property resolver. The following line in logback.xml sets the log level to ALL:

<logger name="org.forgerock.secrets.propertyresolver" level="ALL">

Example

The example in Pass Runtime Data in a JWT Signed With a PEM uses a FileSystemSecretStore to manage a private key as PEM file. The PEM file is generated in the directory /path/to/secrets, with the filename id.key.for.signing.jwt. The properties of the FileSystemSecretStore in the route refer to the PEM file.

More Information

Secrets

org.forgerock.openig.secrets.FileSystemSecretStoreHeaplet