Amazon Secrets Manager Passphrase Provider provide a mechanism for reading a passphrase from the Amazon AWS Secrets Manager service. It may only be used with string secrets (in which the Secrets Manager service returns the secret in the form of a JSON object) and not with secrets stored in a binary form.
The Amazon Secrets Manager Passphrase Provider component inherits from the Passphrase Provider
The following components have a direct aggregation relation from Amazon Secrets Manager Passphrase Providers:
The properties supported by this managed object are as follows:
| Basic Properties: | Advanced Properties: |
|---|---|
| description | None |
| enabled | |
| aws-external-server | |
| secret-id | |
| secret-field-name | |
| secret-version-id | |
| secret-version-stage | |
| max-cache-duration |
| Description | A description for this Passphrase Provider |
| Default Value | None |
| Allowed Values | A string |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
| Description | Indicates whether this Passphrase Provider is enabled for use in the server. |
| Default Value | None |
| Allowed Values | true false |
| Multi-Valued | No |
| Required | Yes |
| Admin Action Required | None. Modification requires no further action |
| Description | The external server with information to use when interacting with the AWS Secrets Manager. |
| Default Value | None |
| Allowed Values | The DN of any Amazon Aws External Server. |
| Multi-Valued | No |
| Required | Yes |
| Admin Action Required | None. Modification requires no further action |
| Description | The Amazon Resource Name (ARN) or the user-friendly name of the secret to be retrieved. |
| Default Value | None |
| Allowed Values | A string |
| Multi-Valued | No |
| Required | Yes |
| Admin Action Required | None. Modification requires no further action |
| Description | The name of the JSON field whose value is the passphrase that will be retrieved. |
| Default Value | None |
| Allowed Values | A string |
| Multi-Valued | No |
| Required | Yes |
| Admin Action Required | None. Modification requires no further action |
| Description | The unique identifier for the version of the secret to be retrieved. If this is provided, then its value will typically be in the form of a UUID. This property must not be provided if the secret-version-stage property is provided. If neither the secret-version-id property nor the secret-version-stage property is provided, then the current version of the secret will be used. |
| Default Value | None |
| Allowed Values | A string |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
secret-version-stage (Read-Only)
| Description | The staging label for the version of the secret to be retrieved. If this is provided, then its value will typically be in the form of a UUID. This property must not be provided if the secret-version-id property is provided. If neither the secret-version-id property nor the secret-version-stage property is provided, then the current version of the secret will be used. |
| Default Value | None |
| Allowed Values | A string |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
| Description | The maximum length of time that the passphrase provider may cache the passphrase that has been read from Vault. A value of zero seconds indicates that the provider should always attempt to read the passphrase from Vault. |
| Default Value | 60s |
| Allowed Values | A duration. Lower limit is 0 milliseconds. |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
To list the configured Passphrase Providers:
dsconfig list-passphrase-providers
[--property {propertyName}] ...
To view the configuration for an existing Passphrase Provider:
dsconfig get-passphrase-provider-prop
--provider-name {name}
[--tab-delimited]
[--script-friendly]
[--property {propertyName}] ...
To update the configuration for an existing Passphrase Provider:
dsconfig set-passphrase-provider-prop
--provider-name {name}
(--set|--add|--remove) {propertyName}:{propertyValue}
[(--set|--add|--remove) {propertyName}:{propertyValue}] ...
To create a new Amazon Secrets Manager Passphrase Provider:
dsconfig create-passphrase-provider
--provider-name {name}
--type amazon-secrets-manager
--set enabled:{propertyValue}
--set aws-external-server:{propertyValue}
--set secret-id:{propertyValue}
--set secret-field-name:{propertyValue}
[--set {propertyName}:{propertyValue}] ...
To delete an existing Passphrase Provider:
dsconfig delete-passphrase-provider
--provider-name {name}