A java based client library for Cerberus that's built on top of Nike's Cerberus client.
This library acts as a wrapper around the Nike developed Cerberus client by configuring the client to be Cerberus compatible.
To learn more about Cerberus, please see the Cerberus website.
- Start with the quick start guide.
- Add the Cerberus client dependency to your build (e.g. Maven, Gradle)
- Provide an authentication mechanism.
- For local development it is easiest to export a
CERBERUS_TOKENthat you copied from the Cerberus dashboard. When running in AWS, your application will not need this environment variable, instead it will automatically authenticate using its IAM role. Alternatively, set acerberus.tokenSystem property. - If you would like to test IAM authentication locally, you can do that by assuming a role.
- For local development it is easiest to export a
- Access secrets from Cerberus using Java
String cerberusUrl = "https://cerberus.example.com";
CerberusClient cerberusClient = DefaultCerberusClientFactory.getClient(cerberusUrl);
Map<String,String> secrets = cerberusClient.read("/app/my-sdb-name").getData();Generally it does NOT make sense to store Lambda secrets in Cerberus for two reasons:
- Cerberus cannot support the scale that lambdas may need, e.g. thousands of requests per second
- Lambdas will not want the extra latency needed to authenticate and read from Cerberus
A better solution for Lambda secrets is using the encrypted environmental variables feature provided by AWS.
Another option is to store Lambda secrets in Cerberus but only read them at Lambda deploy time, then storing them as encrypted environmental variables, to avoid the extra Cerberus runtime latency.
The IAM role assigned to the Lambda function must contain the following policy statement in addition to the above KMS decrypt policy, this is so the Lambda can look up its metadata to automatically authenticate with the Cerberus IAM auth endpoint:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowGetFunctionConfig",
"Effect": "Allow",
"Action": [
"lambda:GetFunctionConfiguration"
],
"Resource": [
"*"
]
}
]
}Setup the CERBERUS_ADDR environmental variable and access Cerberus using Java:
String invokedFunctionArn = context.getInvokedFunctionArn();
CerberusClient cerberusClient = DefaultCerberusClientFactory.getClientForLambda(invokedFunctionArn);
Map<String,String> secrets = cerberusClient.read("/app/my-sdb-name").getData();There are other ways of using this library than the quick start above.
Provide the URL directly using the factory method DefaultCerberusClientFactory.getClient(cerberusUrl) or use the
DefaultCerberusUrlResolver by setting the environment variable CERBERUS_ADDR or the JVM system property cerberus.addr
and then use the factory method that does not require a URL:
final CerberusClient cerberusClient = DefaultCerberusClientFactory.getClient();
Map<String,String> secrets = cerberusClient.read("/app/my-sdb-name").getData();This client uses a provider chain to resolve the token needed to interact with Cerberus.
See DefaultCerberusCredentialsProviderChain.java for full usage.
If the client library is running on an EC2 instance, it will attempt to use the instance's assigned IAM role to authenticate with Cerberus and obtain a token.
The IAM role must be configured for access to Cerberus before this will work.
The following policy statement must also be assigned to the IAM role, so that the client can automatically decrypt the auth token from the Cerberus IAM auth endpoint:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowKmsDecrypt",
"Effect": "Allow",
"Action": [
"kms:Decrypt"
],
"Resource": [
"arn:aws:kms:*:[Cerberus AWS Account ID]:key/*"
]
}
]
}The account ID in the ARN should be the account ID where Cerberus is deployed. See your company's internal documentation for the account ID that you should use.
First, make sure the following environment variables are set before running the Java Client integration tests:
export CERBERUS_ADDR=https://example.cerberus.com
export TEST_ACCOUNT_ID=12345678910
export TEST_ROLE_NAME=integration-test-role
export TEST_REGION=us-west-2Next, in the project directory run:
./gradlew integrationCerberus client is a small project. It only has a few classes and they are all fully documented. For further details please see the source code, including javadocs and unit tests.
Cerberus client is released under the Apache License, Version 2.0
![@dependabot[bot]](https://avatars.githubusercontent.com/in/29110?s=64&v=4){kind=small}
