Overview

When connecting to a data location or dashboard data source, Semarchy xDM Data Management 5.3 does all of the magic to handle AWS Secrets Management automatically (if you use AWS Secrets Manager).

But connecting to the repository is a different story. The tool needs to connect to the repository in order to launch... so it cannot perform its magic in an analogous way.

To handle rotating credentials for a repository, you need to use Amazon's JDBC driver and update the connection configuration for the repository.

Steps

Get the AWS JDBC Driver

Official Driver. The driver is provided by Amazon. The official docs describe how to use it and include a link to download the driver .jar file.

Be sure to the driver and all dependencies (your precise version numbers may vary):

aws-java-sdk-core-1.11.418.jar
 aws-java-sdk-secretsmanager-1.11.418.jar
 aws-secretsmanager-caching-java-1.0.1.jar
 aws-secretsmanager-jdbc-1.0.6.jar
 commons-codec-1.10.jar
 commons-logging-1.1.3.jar
 httpclient-4.5.5.jar
 httpcore-4.4.9.jar
 ion-java-1.0.2.jar
 jackson-annotations-2.10.3.jar
 jackson-core-2.10.3.jar
 jackson-databind-2.10.3.jar
 jackson-dataformat-cbor-2.6.7.jar
 jmespath-java-1.11.418.jar
 joda-time-2.8.1.jar

Deploy the Driver

Semarchy documentation about deploying JDBC Drivers.

The official documentation explains how/where to deploy JDBC drivers. Tip: Many users of AWS Secrets Manager will use the Semarchy xDM instance available on AWS Marketplace. If you use that environment, then the JDBC drivers are located here:

/var/lib/tomcat9/lib/

Configure the Driver

Semarchy documentation about startup configuration.

There are multiple ways to configure the repository connection information. Here's an example using environment variables:

# Repository datasource
 export XDM_REPOSITORY_DRIVER=com.amazonaws.secretsmanager.sql.AWSSecretsManagerPostgreSQLDriver
 export XDM_REPOSITORY_URL=jdbc-secretsmanager:postgresql://myserver.cdm34ibs42so.us-west-1.rds.amazonaws.com:5432/semarchy
 export XDM_REPOSITORY_USERNAME=semarchy_repository
 export XDM_REPOSITORY_PASSWORD=not_used
 export XDM_REPOSITORY_READONLY_USERNAME=semarchy_repository_readonly
 export XDM_REPOSITORY_READONLY_PASSWORD=not_used

Notice that the property name is XDM_REPOSITORY_USERNAME, but in this configuration we are actually passing in the name of the secret, not the name of the user. It is also possible to pass in the secret using its ARN (the ARN has this form: arn:aws:secretsmanager:us-west-1:285620823592:secret:semarchy_repository-VDAlaP).

The secret contains the username and the password. (The secret also contains the engine, host, port, etc. But we this configuration retrieves only the username and password.) Therefore any value may be used for XDM_REPOSITORY_PASSWORD, and this value will be ignored.