aws-sdk-java-v2-secrets-manager
giuseppe-trisciuoglio/developer-kit
How to install aws-sdk-java-v2-secrets-manager
npx skills add https://github.com/giuseppe-trisciuoglio/developer-kit --skill aws-sdk-java-v2-secrets-managerFull instructions (SKILL.md)
Source of truth, from giuseppe-trisciuoglio/developer-kit.
name: aws-sdk-java-v2-secrets-manager description: Provides AWS Secrets Manager patterns for AWS SDK for Java 2.x, including secret retrieval, caching, rotation-aware access, and Spring Boot integration. Use when storing or reading secrets in Java services, replacing hardcoded credentials, or wiring secret-backed configuration into applications. allowed-tools: Read, Write, Edit, Bash, Glob, Grep
AWS SDK for Java 2.x - AWS Secrets Manager
Overview
Use this skill to manage application secrets with AWS Secrets Manager from Java services.
It focuses on the operational flow that matters in production:
- how to retrieve and deserialize secrets safely
- when to add local caching
- how to integrate secret access into Spring Boot without leaking values into logs or configuration files
Keep large API notes and extended setup details in the bundled references.
When to Use
Use this skill when:
- replacing hardcoded passwords, API keys, or tokens with managed secrets
- loading database credentials or third-party API credentials at runtime
- adding caching to reduce Secrets Manager latency and API cost
- handling secret version stages such as
AWSCURRENTandAWSPENDING - wiring secret access into Spring Boot beans or configuration services
- preparing rotation-aware applications or Lambda rotation workflows
Typical trigger phrases include java secrets manager, spring boot secret, aws secret cache, load db credentials from secrets manager, and rotate secret.
Instructions
1. Model the secret before writing access code
Decide:
- the secret name and path convention
- whether the value is plain text or structured JSON
- which application boundary is allowed to read it
- whether the caller needs the latest value on every request or can tolerate a cache
Prefer JSON secrets for multi-field credentials such as database connection details.
2. Create one reusable client per application configuration
Use a single SecretsManagerClient with explicit region and the default credential provider chain unless the environment requires something more specific.
Keep client creation in configuration code, not in business services.
3. Retrieve and deserialize at the boundary layer
At the integration boundary:
- fetch with
GetSecretValueRequest - deserialize JSON into a typed object or validated map
- convert AWS exceptions into application-level errors
- never log
secretString()or include it in thrown exception messages
4. Add caching only where it solves a real problem
Use caching when:
- the secret is read frequently
- latency matters for startup or request handling
- the cost of repeated lookups is material
Document cache TTL expectations clearly, especially if the secret rotates.
5. Design for rotation and staged versions
If the secret rotates:
- read through a thin service layer so cache invalidation and retry behavior stay centralized
- understand which callers must tolerate
AWSPENDINGduring verification workflows - test how the application behaves during stale cache windows or partial rotation failures
6. Validate end-to-end behavior
Before shipping:
- verify IAM permissions and KMS access
- test missing secret, wrong region, and decryption failure paths
- confirm secrets are not surfaced in logs, metrics, or debug endpoints
- prove database or API clients refresh correctly when credentials rotate
Examples
Example 1: Reusable client and typed secret lookup
@Configuration
public class SecretsConfiguration {
@Bean
SecretsManagerClient secretsManagerClient() {
return SecretsManagerClient.builder()
.region(Region.of("eu-south-2"))
.credentialsProvider(DefaultCredentialsProvider.create())
.build();
}
}
@Service
public class SecretsService {
private final SecretsManagerClient client;
private final ObjectMapper objectMapper;
public SecretsService(SecretsManagerClient client, ObjectMapper objectMapper) {
this.client = client;
this.objectMapper = objectMapper;
}
public DatabaseSecret loadDatabaseSecret(String secretId) throws JsonProcessingException {
GetSecretValueResponse response = client.getSecretValue(
GetSecretValueRequest.builder().secretId(secretId).build()
);
return objectMapper.readValue(response.secretString(), DatabaseSecret.class);
}
}
Example 2: Cache a hot-path secret lookup
public class CachedSecretsService {
private final SecretCache cache;
public CachedSecretsService(SecretsManagerClient client) {
this.cache = new SecretCache(client);
}
public String apiToken(String secretId) {
return cache.getSecretString(secretId);
}
}
Use this pattern only when the application can tolerate the chosen cache refresh behavior.
Best Practices
- Use hierarchical secret names that match domain and environment boundaries.
- Prefer typed JSON deserialization over string parsing scattered across the codebase.
- Keep secret retrieval in infrastructure services rather than controllers or entities.
- Reuse the SDK client and cache instances.
- Combine least-privilege IAM with KMS permissions and CloudTrail visibility.
- Make rotation behavior explicit in code and operational docs.
Constraints and Warnings
- Do not log secret values, serialized secret objects, or decrypted payload fragments.
- Cached values may remain stale during or after rotation depending on TTL and refresh behavior.
- Secret access can fail because of IAM policy, KMS policy, region mismatch, or deleted versions; handle these cases explicitly.
- Automatic rotation is not available for every secret shape or integration.
- Large or frequently changing secrets may not be good candidates for aggressive in-memory caching.
References
references/api-reference.mdreferences/caching-guide.mdreferences/spring-boot-integration.md
Related Skills
aws-sdk-java-v2-coreaws-sdk-java-v2-kmsspring-boot-dependency-injection
Related skills
More from giuseppe-trisciuoglio/developer-kit and the wider catalog.
shadcn-ui
Copy-owned, accessible React components built on Radix UI and Tailwind CSS with form validation and theming.
tailwind-css-patterns
Utility-first Tailwind CSS patterns for responsive, accessible component styling.
unit-test-bean-validation
Provides patterns for unit testing Jakarta Bean Validation (JSR-380), including @Valid, @NotNull, @Min, @Max, @Email constraints with Hibernate Validator. Generates custom validator tests, constraint violation assertions, validation groups, and parameterized validation tests. Validates data integrity logic without Spring context. Use when writing validation tests, bean validation tests, or testing custom constraint validators.
react-patterns
Provides comprehensive React 19 patterns for Server Components, Server Actions, useOptimistic, useActionState, useTransition, concurrent features, Suspense boundaries, and TypeScript integration. Generates executable code patterns, validates security for public endpoints, and optimizes performance with React Compiler or manual memoization. Proactively use when building React 19 applications with Next.js App Router, implementing optimistic UI, or optimizing concurrent rendering.
drizzle-orm-patterns
Provides comprehensive Drizzle ORM patterns for schema definition, CRUD operations, relations, queries, transactions, and migrations. Proactively use for any Drizzle ORM development including defining database schemas, writing type-safe queries, implementing relations, managing transactions, and setting up migrations with Drizzle Kit. Supports PostgreSQL, MySQL, SQLite, MSSQL, and CockroachDB.
nextjs-performance
Expert Next.js performance optimization skill covering Core Web Vitals, image/font optimization, caching strategies, streaming, bundle optimization, and Server Components best practices. Use when optimizing Next.js applications for Core Web Vitals (LCP, INP, CLS), implementing next/image and next/font, configuring caching with unstable_cache and revalidateTag, converting Client Components to Server Components, implementing Suspense streaming, or analyzing and reducing bundle size. Supports Next.js 16 + React 19 patterns.