Amazon Secrets Manager Properties Provider 1.1 Reference
Amazon Secrets Manager Properties Provider is a configuration that enables you to retrieve your secrets from Amazon Secrets Manager cloud service before your Mule app runs.
Configuration
Default Configuration for Amazon Secrets Manager Properties Provider.
| Name | Type | Description | Default Value | Required |
|---|---|---|---|---|
Name |
String |
Name for this configuration. Connectors reference the configuration with this name. |
x |
|
Expiration Policy |
Configures the minimum amount of time that a dynamic configuration instance can remain idle before Mule considers it eligible for expiration. This does not mean that the instance expires at the exact moment that it becomes eligible. Mule purges the instances as appropriate. |
x |
||
AWS Secrets Manager Region |
String |
AWS Secrets Manager region, for example, |
x |
|
AWS Access Key |
String |
AWS access key ID. |
||
AWS Secret Key a |
String |
AWS secret key ID. |
||
Role ARN |
String |
Uniquely identifies a role to gain cross-account access. |
||
External ID |
String |
The External ID is used to prevent the confused deputy problem when assuming a role in another account. |
Types
Expiration Policy
| Field | Type | Description | Default Value | Required |
|---|---|---|---|---|
Max Idle Time |
Number |
Configures the maximum amount of time that a dynamic configuration instance can remain idle before Mule considers it eligible for expiration. |
||
Time Unit |
Enumeration, one of:
|
Time unit for the Max Idle Time field. |
Limitations
Amazon Secrets Manager Properties Provider doesn’t support the use of property files for the configuration of the properties provider.
Environment Variables
If you do not provide the AWS Access Key, AWS Secret Key, or AWS Secrets Manager Region values in the configuration, Amazon Secrets Manager Properties Provider uses the default credentials provider chain - AWS SDK for Java 2.x to resolve credentials and the region from the runtime environment. This capability enables you to avoid hardcoding AWS credentials in the Mule app configuration.
Use the following environment variables to configure the behavior of Amazon Secrets Manager Properties Provider from the environment instead of specifying parameters in the Mule app configuration:
-
AWS_ACCESS_KEY_ID -
AWS_SECRET_ACCESS_KEY -
AWS_SESSION_TOKEN(required only when using temporary credentials) -
AWS_REGION
These variables are stored in secure configuration files with the values encrypted. During execution, the runtime decrypts these values and they remain in memory in their decrypted state. For more information, refer to Protecting App Property Values.
Alternatively, you can set the equivalent Java system properties: aws.accessKeyId, aws.secretAccessKey, aws.sessionToken, and aws.region. For the full list of credential sources and the order in which they are evaluated, refer to the default credentials provider chain - AWS SDK for Java 2.x.
Authenticate Through Environment Variables
To authenticate to Amazon Secrets Manager using environment variables, set the following environment variables:
-
AWS_ACCESS_KEY_ID -
AWS_SECRET_ACCESS_KEY -
AWS_REGION
Refer to Setting Environment Variables for details.
If you do not set the AWS Access Key, AWS Secret Key, or AWS Secrets Manager Region attributes in the configuration, the properties provider uses the values from the environment variables.
In the XML configuration, you can omit the credential attributes when you rely on environment variables:
<!-- Configuration using environment variables for AWS credentials and region -->
<aws-secrets-manager-properties-override:config name="AWS_Secrets_Manager_Properties_Override_Config" doc:name="AWS Secrets Manager Properties Override Config">
<aws-secrets-manager-properties-override:basic-connection />
</aws-secrets-manager-properties-override:config>If the properties provider cannot resolve credentials or the region from the configuration, environment variables, or any other source in the default credentials provider chain, the Mule app fails to start.