# Get a Secrets Manager secret value using Java with client-side caching When you retrieve a secret, you can use the Secrets Manager Java-based caching component to cache it for future use. Retrieving a cached secret is faster than retrieving it from Secrets Manager. Because there is a cost for calling Secrets Manager APIs, using a cache can reduce your costs. For all of the ways you can retrieve secrets, see [Get secrets](retrieving-secrets.md). The cache policy is Least Recently Used (LRU), so when the cache must discard a secret, it discards the least recently used secret. By default, the cache refreshes secrets every hour. You can configure [how often the secret is refreshed](retrieving-secrets_cache-java-ref_SecretCacheConfiguration.md#retrieving-secrets_cache-java-ref_SecretCacheConfiguration_methods-getCacheItemTTL) in the cache, and you can [hook into the secret retrieval](retrieving-secrets_cache-java-ref_SecretCacheHook.md) to add more functionality. The cache does not force garbage collection once cache references are freed. The cache implementation does not include cache invalidation. The cache implementation is focused around the cache itself, and is not security hardened or focused. If you require additional security such as encrypting items in the cache, use the interfaces and abstract methods provided. To use the component, you must have the following: + A Java 8 or higher development environment. See [Java SE Downloads](https://www.oracle.com/technetwork/java/javase/downloads/index.html) on the Oracle website. To download the source code, see [Secrets Manager Java-based caching client component](https://github.com/aws/aws-secretsmanager-caching-java) on GitHub. To add the component to your project, in your Maven pom.xml file, include the following dependency. For more information about Maven, see the [Getting Started Guide](https://maven.apache.org/guides/getting-started/index.html) on the Apache Maven Project website. ``` com.amazonaws.secretsmanager aws-secretsmanager-caching-java 1.0.2 ``` **Required permissions: ** + `secretsmanager:DescribeSecret` + `secretsmanager:GetSecretValue` For more information, see [Permissions reference](auth-and-access.md#reference_iam-permissions). **Topics** + [SecretCache](retrieving-secrets_cache-java-ref_SecretCache.md) + [SecretCacheConfiguration](retrieving-secrets_cache-java-ref_SecretCacheConfiguration.md) + [SecretCacheHook](retrieving-secrets_cache-java-ref_SecretCacheHook.md) **Example Retrieve a secret** The following code example shows a Lambda function that retrieves a secret string. It follows the [best practice](https://docs.aws.amazon.com/lambda/latest/dg/best-practices.html) of instantiating the cache outside of the function handler, so it doesn't keep calling the API if you call the Lambda function again. ``` package com.amazonaws.secretsmanager.caching.examples; import com.amazonaws.services.lambda.runtime.Context; import com.amazonaws.services.lambda.runtime.RequestHandler; import com.amazonaws.services.lambda.runtime.LambdaLogger; import com.amazonaws.secretsmanager.caching.SecretCache; public class SampleClass implements RequestHandler { private final SecretCache cache = new SecretCache(); @Override public String handleRequest(String secretId, Context context) { final String secret = cache.getSecretString(secretId); // Use the secret, return success; } } ``` # SecretCache An in-memory cache for secrets requested from Secrets Manager. You use [getSecretString](#retrieving-secrets_cache-java-ref_SecretCache-methods-getSecretString) or [getSecretBinary](#retrieving-secrets_cache-java-ref_SecretCache-methods-getSecretBinary) to retrieve a secret from the cache. You can configure the cache settings by passing in a [SecretCacheConfiguration](retrieving-secrets_cache-java-ref_SecretCacheConfiguration.md) object in the constructor. For more information, including examples, see [Get a Secrets Manager secret value using Java with client-side caching](retrieving-secrets_cache-java.md). ## Constructors `public SecretCache()` Default constructor for a `SecretCache` object. `public SecretCache(AWSSecretsManagerClientBuilder builder)` Constructs a new cache using a Secrets Manager client created using the provided [https://docs.aws.amazon.com/AWSJavaSDK/latest/javadoc/com/amazonaws/services/secretsmanager/AWSSecretsManagerClientBuilder.html](https://docs.aws.amazon.com/AWSJavaSDK/latest/javadoc/com/amazonaws/services/secretsmanager/AWSSecretsManagerClientBuilder.html). Use this constructor to customize the Secrets Manager client, for example to use a specific Region or endpoint. `public SecretCache(AWSSecretsManager client)` Constructs a new secret cache using the provided [https://docs.aws.amazon.com/AWSJavaSDK/latest/javadoc/com/amazonaws/services/secretsmanager/AWSSecretsManagerClient.html](https://docs.aws.amazon.com/AWSJavaSDK/latest/javadoc/com/amazonaws/services/secretsmanager/AWSSecretsManagerClient.html). Use this constructor to customize the Secrets Manager client, for example to use a specific Region or endpoint. `public SecretCache(SecretCacheConfiguration config)` Constructs a new secret cache using the provided `SecretCacheConfiguration`. ## Methods ### getSecretString `public String getSecretString(final String secretId)` Retrieves a string secret from Secrets Manager. Returns a [https://docs.oracle.com/javase/7/docs/api/java/lang/String.html?is-external=true](https://docs.oracle.com/javase/7/docs/api/java/lang/String.html?is-external=true). ### getSecretBinary `public ByteBuffer getSecretBinary(final String secretId)` Retrieves a binary secret from Secrets Manager. Returns a [https://docs.oracle.com/javase/7/docs/api/java/nio/ByteBuffer.html](https://docs.oracle.com/javase/7/docs/api/java/nio/ByteBuffer.html). ### refreshNow `public boolean refreshNow(final String secretId) throws InterruptedException` Forces the cache to refresh. Returns `true` if the refresh completed without error, otherwise `false`. ### close `public void close()` Closes the cache. # SecretCacheConfiguration Cache configuration options for a [SecretCache](retrieving-secrets_cache-java-ref_SecretCache.md), such as max cache size and Time to Live (TTL) for cached secrets. ## Constructor `public SecretCacheConfiguration` Default constructor for a `SecretCacheConfiguration` object. ## Methods ### getClient `public AWSSecretsManager getClient()` Returns the [https://docs.aws.amazon.com/AWSJavaSDK/latest/javadoc/com/amazonaws/services/secretsmanager/AWSSecretsManagerClient.html](https://docs.aws.amazon.com/AWSJavaSDK/latest/javadoc/com/amazonaws/services/secretsmanager/AWSSecretsManagerClient.html) that the cache retrieves secrets from. ### setClient `public void setClient(AWSSecretsManager client)` Sets the [https://docs.aws.amazon.com/AWSJavaSDK/latest/javadoc/com/amazonaws/services/secretsmanager/AWSSecretsManagerClient.html](https://docs.aws.amazon.com/AWSJavaSDK/latest/javadoc/com/amazonaws/services/secretsmanager/AWSSecretsManagerClient.html) client that the cache retrieves secrets from. ### getCacheHook `public SecretCacheHook getCacheHook()` Returns the [SecretCacheHook](retrieving-secrets_cache-java-ref_SecretCacheHook.md) interface used to hook cache updates. ### setCacheHook `public void setCacheHook(SecretCacheHook cacheHook)` Sets the [SecretCacheHook](retrieving-secrets_cache-java-ref_SecretCacheHook.md) interface used to hook cache updates. ### getMaxCacheSize `public int getMaxCacheSize()` Returns the maximum cache size. The default is 1024 secrets. ### setMaxCacheSize `public void setMaxCacheSize(int maxCacheSize)` Sets the maximum cache size. The default is 1024 secrets. ### getCacheItemTTL `public long getCacheItemTTL()` Returns the TTL in milliseconds for the cached items. When a cached secret exceeds this TTL, the cache retrieves a new copy of the secret from the [https://docs.aws.amazon.com/AWSJavaSDK/latest/javadoc/com/amazonaws/services/secretsmanager/AWSSecretsManagerClient.html](https://docs.aws.amazon.com/AWSJavaSDK/latest/javadoc/com/amazonaws/services/secretsmanager/AWSSecretsManagerClient.html). The default is 1 hour in milliseconds. The cache refreshes the secret synchronously when the secret is requested after the TTL. If the synchronous refresh fails, the cache returns the stale secret. ### setCacheItemTTL `public void setCacheItemTTL(long cacheItemTTL)` Sets the TTL in milliseconds for the cached items. When a cached secret exceeds this TTL, the cache retrieves a new copy of the secret from the [https://docs.aws.amazon.com/AWSJavaSDK/latest/javadoc/com/amazonaws/services/secretsmanager/AWSSecretsManagerClient.html](https://docs.aws.amazon.com/AWSJavaSDK/latest/javadoc/com/amazonaws/services/secretsmanager/AWSSecretsManagerClient.html). The default is 1 hour in milliseconds. ### getVersionStage `public String getVersionStage()` Returns the version of secrets that you want to cache. For more information, see [Secret versions](whats-in-a-secret.md#term_version). The default is` "AWSCURRENT"`. ### setVersionStage `public void setVersionStage(String versionStage)` Sets the version of secrets that you want to cache. For more information, see [Secret versions](whats-in-a-secret.md#term_version). The default is `"AWSCURRENT"`. ### SecretCacheConfiguration withClient `public SecretCacheConfiguration withClient(AWSSecretsManager client)` Sets the [https://docs.aws.amazon.com/AWSJavaSDK/latest/javadoc/com/amazonaws/services/secretsmanager/AWSSecretsManagerClient.html](https://docs.aws.amazon.com/AWSJavaSDK/latest/javadoc/com/amazonaws/services/secretsmanager/AWSSecretsManagerClient.html) to retrieve secrets from. Returns the updated `SecretCacheConfiguration` object with the new setting. ### SecretCacheConfiguration withCacheHook `public SecretCacheConfiguration withCacheHook(SecretCacheHook cacheHook)` Sets the interface used to hook the in-memory cache. Returns the updated `SecretCacheConfiguration` object with the new setting. ### SecretCacheConfiguration withMaxCacheSize `public SecretCacheConfiguration withMaxCacheSize(int maxCacheSize)` Sets the maximum cache size. Returns the updated `SecretCacheConfiguration` object with the new setting. ### SecretCacheConfiguration withCacheItemTTL `public SecretCacheConfiguration withCacheItemTTL(long cacheItemTTL)` Sets the TTL in milliseconds for the cached items. When a cached secret exceeds this TTL, the cache retrieves a new copy of the secret from the [https://docs.aws.amazon.com/AWSJavaSDK/latest/javadoc/com/amazonaws/services/secretsmanager/AWSSecretsManagerClient.html](https://docs.aws.amazon.com/AWSJavaSDK/latest/javadoc/com/amazonaws/services/secretsmanager/AWSSecretsManagerClient.html). The default is 1 hour in milliseconds. Returns the updated `SecretCacheConfiguration` object with the new setting. ### SecretCacheConfiguration withVersionStage `public SecretCacheConfiguration withVersionStage(String versionStage)` Sets the version of secrets that you want to cache. For more information, see [Secret versions](whats-in-a-secret.md#term_version). Returns the updated `SecretCacheConfiguration` object with the new setting. # SecretCacheHook An interface to hook into a [SecretCache](retrieving-secrets_cache-java-ref_SecretCache.md) to perform actions on the secrets being stored in the cache. ## put `Object put(final Object o)` Prepare the object for storing in the cache. Returns the object to store in the cache. ## get `Object get(final Object cachedObject)` Derive the object from the cached object. Returns the object to return from the cache