FileSystemSecretStore
Manage a store of secrets held in files, specified as follows:
-
Each file must contain only one secret.
-
The file must be in the directory specified by the property
directory
. -
The filename must match the
mappings
propertysecretId
. -
The file content must match the
mappings
propertyformat
. For example, if the mapping specifiesBASE64
, the file content must be base64-encoded.
Secrets are read lazily from the filesystem.
For a description of how secrets are managed, see About Secrets.
Usage
{
"name": string,
"type": "FileSystemSecretStore",
"config": {
"directory": configuration expression<string>,
"format": configuration expression<enumeration>,
"suffix": configuration expression<string>,
"mappings": [ configuration object, ... ],
"leaseExpiry": configuration expression<duration>
}
}
Properties
"directory"
: configuration expression<string>, required-
File path to a directory containing secret files. This object checks the specified directory, but not its subdirectories.
"format"
: configuration expression<enumeration>, optional-
Format in which the secret is stored. Use one of the following values:
-
BASE64
: Base64-encoded -
PLAIN
: Plain text
Default:
BASE64
-
"suffix"
: configuration expression<string>, optional-
File suffix.
When set, the FileSystemSecretStore will append that suffix to the secret ID and try to find a file with the mapped name.
Default: None
"mappings"
: array of objects, optional-
One or more mappings to define a secret:
secretId
: configuration expression<secret-id>, required-
The ID of the secret used in your configuration.
format
: SecretPropertyFormat reference, required-
The format and algorithm of the secret. Use SecretKeyPropertyFormat or PemPropertyFormat.
"leaseExpiry"
: configuration expression<duration>, optional-
The amount of time that secrets produced by this store can be cached before they must be refreshed.
If the duration is
zero
orunlimited
, IG issues a warning, and uses the default value.Default: 5 minutes
Log Level
To facilitate debugging secrets for the FileSystemSecretStore, in
logback.xml
add a logger defined by the fully qualified package name
of the property resolver. The following line in logback.xml
sets the
log level to ALL
:
<logger name="org.forgerock.secrets.propertyresolver" level="ALL">
Example
The example in
Pass Runtime Data in a JWT Signed With a PEM
uses a FileSystemSecretStore to manage a private key as PEM file. The PEM file
is generated in the directory /path/to/secrets
, with the filename
id.key.for.signing.jwt
. The properties of the FileSystemSecretStore in
the route refer to the PEM file.