SystemAndEnvSecretStore
Manage a store of secrets from system properties and environment variables.
A secret ID must conform to the convention described in secret-id. The reference is then transformed to match the environment variable name, as follows:
-
Periods (.) are converted to underscores.
-
Characters are transformed to uppercase.
For example, my.secret.id is transformed to MY_SECRET_ID.
For a description of how secrets are managed, see About Secrets.
Usage
{
"name": string,
"type": "SystemAndEnvSecretStore",
"config": {
"format": configuration expression<enumeration>,
"mappings": [ configuration object, ... ],
"leaseExpiry": configuration expression<duration>
}
}Properties
"format": configuration expression<enumeration>, optional-
Format in which the secret is stored. Use one of the following values:
-
BASE64: Base64-encoded -
PLAIN: Plain text
Default:
BASE64 -
"mappings": array of objects, optional-
One or more mappings to define a secret:
secretId: configuration expression<secret-id>, required-
The ID of the secret used in your configuration.
format: SecretPropertyFormat reference, required-
The format and algorithm of the secret. Use SecretKeyPropertyFormat or PemPropertyFormat.
"leaseExpiry": configuration expression<duration>, optional-
The amount of time that secrets produced by this store can be cached before they must be refreshed.
If the duration is
zeroorunlimited, IG issues a warning, and uses the default value.Default: 5 minutes
Log Level
To facilitate debugging secrets for the SystemAndEnvSecretStore, in
logback.xml add a logger defined by the fully qualified package name
of the property resolver. The following line in logback.xml sets the
log level to ALL:
<logger name="org.forgerock.secrets.propertyresolver" level="ALL">Example
For an example of how to uses a SystemAndEnvSecretStore to manage a password, see the example in Authenticate With SSO Through the Default Authentication Service