When connecting to a data location or dashboard data source, Semarchy xDM Data Management 5.3 does all of the magic to handle AWS Secrets Management automatically (if you use AWS Secrets Manager).
But connecting to the repository is a different story. The tool needs to connect to the repository in order to launch... so it cannot perform its magic in an analogous way.
To handle rotating credentials for a repository, you need to use Amazon's JDBC driver and update the connection configuration for the repository.
Get the AWS JDBC Driver
Official Driver. The driver is provided by Amazon. The official docs describe how to use it and include a link to download the driver .jar file.
Be sure to the driver and all dependencies (your precise version numbers may vary):
aws-java-sdk-core-1.11.418.jar aws-java-sdk-secretsmanager-1.11.418.jar aws-secretsmanager-caching-java-1.0.1.jar aws-secretsmanager-jdbc-1.0.6.jar commons-codec-1.10.jar commons-logging-1.1.3.jar httpclient-4.5.5.jar httpcore-4.4.9.jar ion-java-1.0.2.jar jackson-annotations-2.10.3.jar jackson-core-2.10.3.jar jackson-databind-2.10.3.jar jackson-dataformat-cbor-2.6.7.jar jmespath-java-1.11.418.jar joda-time-2.8.1.jar
Deploy the Driver
The official documentation explains how/where to deploy JDBC drivers. Tip: Many users of AWS Secrets Manager will use the Semarchy xDM instance available on AWS Marketplace. If you use that environment, then the JDBC drivers are located here:
Configure the Driver
There are multiple ways to configure the repository connection information. Here's an example using environment variables:
# Repository datasource export XDM_REPOSITORY_DRIVER=com.amazonaws.secretsmanager.sql.AWSSecretsManagerPostgreSQLDriver export XDM_REPOSITORY_URL=jdbc-secretsmanager:postgresql://myserver.cdm34ibs42so.us-west-1.rds.amazonaws.com:5432/semarchy export XDM_REPOSITORY_USERNAME=semarchy_repository export XDM_REPOSITORY_PASSWORD=not_used export XDM_REPOSITORY_READONLY_USERNAME=semarchy_repository_readonly export XDM_REPOSITORY_READONLY_PASSWORD=not_used
Notice that the property name is
XDM_REPOSITORY_USERNAME, but in this configuration we are actually passing in the name of the secret, not the name of the user. It is also possible to pass in the secret using its ARN (the ARN has this form:
The secret contains the username and the password. (The secret also contains the engine, host, port, etc. But we this configuration retrieves only the username and password.) Therefore any value may be used for
XDM_REPOSITORY_PASSWORD, and this value will be ignored.