Skill

aws-sdk-java-v2-secrets-manager

Provides AWS Secrets Manager patterns for AWS SDK Java 2.x: secret retrieval, caching, rotation-aware access, Spring Boot integration. Use for managing secrets in Java services, replacing hardcoded credentials.

Java

AWS

security

backend

From developer-kit-java

Install

Run in your terminal

npx claudepluginhub giuseppe-trisciuoglio/developer-kit --plugin developer-kit-java

Tool Access

This skill is limited to using the following tools:

ReadWriteEditBashGlobGrep

Supporting Assets

View in Repository

assets/templates/SecretsManagerConfigTemplate.java

references/api-reference.md

references/caching-guide.md

references/spring-boot-integration.md

Skill Content

Similar Skills

skill-lookup

Searches, retrieves, and installs Agent Skills from prompts.chat registry using MCP tools like search_skills and get_skill. Activates for finding skills, browsing catalogs, or extending Claude.

prompts.chat

157.5k

prompt-lookup

Searches prompts.chat for AI prompt templates by keyword or category, retrieves by ID with variable handling, and improves prompts via AI. Use for discovering or enhancing prompts.

prompts.chat

157.5k

agent-payment-x402

Enables AI agents to execute x402 payments with per-task budgets, spending controls, and non-custodial wallets via MCP tools. Use when agents pay for APIs, services, or other agents.

everything-claude-code

139.9k

Stats

Parent Repo Stars174

Parent Repo Forks17

Last CommitMar 23, 2026

Actions

View Source View Plugin View on GitHub View README

AWS SDK for Java 2.x - AWS Secrets Manager

Overview

Use this skill to manage application secrets with AWS Secrets Manager from Java services.

It focuses on the operational flow that matters in production:

how to retrieve and deserialize secrets safely
when to add local caching
how to integrate secret access into Spring Boot without leaking values into logs or configuration files

Keep large API notes and extended setup details in the bundled references.

When to Use

Use this skill when:

replacing hardcoded passwords, API keys, or tokens with managed secrets
loading database credentials or third-party API credentials at runtime
adding caching to reduce Secrets Manager latency and API cost
handling secret version stages such as AWSCURRENT and AWSPENDING
wiring secret access into Spring Boot beans or configuration services
preparing rotation-aware applications or Lambda rotation workflows

Typical trigger phrases include java secrets manager, spring boot secret, aws secret cache, load db credentials from secrets manager, and rotate secret.

Instructions

1. Model the secret before writing access code

Decide:

the secret name and path convention
whether the value is plain text or structured JSON
which application boundary is allowed to read it
whether the caller needs the latest value on every request or can tolerate a cache

Prefer JSON secrets for multi-field credentials such as database connection details.

2. Create one reusable client per application configuration

Use a single SecretsManagerClient with explicit region and the default credential provider chain unless the environment requires something more specific.

Keep client creation in configuration code, not in business services.

3. Retrieve and deserialize at the boundary layer

At the integration boundary:

fetch with GetSecretValueRequest
deserialize JSON into a typed object or validated map
convert AWS exceptions into application-level errors
never log secretString() or include it in thrown exception messages

4. Add caching only where it solves a real problem

Use caching when:

the secret is read frequently
latency matters for startup or request handling
the cost of repeated lookups is material

Document cache TTL expectations clearly, especially if the secret rotates.

5. Design for rotation and staged versions

If the secret rotates:

read through a thin service layer so cache invalidation and retry behavior stay centralized
understand which callers must tolerate AWSPENDING during verification workflows
test how the application behaves during stale cache windows or partial rotation failures

6. Validate end-to-end behavior

Before shipping:

verify IAM permissions and KMS access
test missing secret, wrong region, and decryption failure paths
confirm secrets are not surfaced in logs, metrics, or debug endpoints
prove database or API clients refresh correctly when credentials rotate

Examples

Example 1: Reusable client and typed secret lookup

@Configuration
public class SecretsConfiguration {

    @Bean
    SecretsManagerClient secretsManagerClient() {
        return SecretsManagerClient.builder()
            .region(Region.of("eu-south-2"))
            .credentialsProvider(DefaultCredentialsProvider.create())
            .build();
    }
}

@Service
public class SecretsService {

    private final SecretsManagerClient client;
    private final ObjectMapper objectMapper;

    public SecretsService(SecretsManagerClient client, ObjectMapper objectMapper) {
        this.client = client;
        this.objectMapper = objectMapper;
    }

    public DatabaseSecret loadDatabaseSecret(String secretId) throws JsonProcessingException {
        GetSecretValueResponse response = client.getSecretValue(
            GetSecretValueRequest.builder().secretId(secretId).build()
        );
        return objectMapper.readValue(response.secretString(), DatabaseSecret.class);
    }
}

Example 2: Cache a hot-path secret lookup

public class CachedSecretsService {

    private final SecretCache cache;

    public CachedSecretsService(SecretsManagerClient client) {
        this.cache = new SecretCache(client);
    }

    public String apiToken(String secretId) {
        return cache.getSecretString(secretId);
    }
}

Use this pattern only when the application can tolerate the chosen cache refresh behavior.

Best Practices

Use hierarchical secret names that match domain and environment boundaries.
Prefer typed JSON deserialization over string parsing scattered across the codebase.
Keep secret retrieval in infrastructure services rather than controllers or entities.
Reuse the SDK client and cache instances.
Combine least-privilege IAM with KMS permissions and CloudTrail visibility.
Make rotation behavior explicit in code and operational docs.

Constraints and Warnings

Do not log secret values, serialized secret objects, or decrypted payload fragments.
Cached values may remain stale during or after rotation depending on TTL and refresh behavior.
Secret access can fail because of IAM policy, KMS policy, region mismatch, or deleted versions; handle these cases explicitly.
Automatic rotation is not available for every secret shape or integration.
Large or frequently changing secrets may not be good candidates for aggressive in-memory caching.

References

references/api-reference.md
references/caching-guide.md
references/spring-boot-integration.md

Related Skills

aws-sdk-java-v2-core
aws-sdk-java-v2-kms
spring-boot-dependency-injection