open-feature · mahpatil · Apr 9, 2026 · gemini-code-assist · Apr 9, 2026 · gemini-code-assist
@@ -11,6 +11,7 @@
   "providers/statsig": "0.2.1",
   "providers/multiprovider": "0.0.3",
   "providers/ofrep": "0.0.1",
+  "providers/gcp-secret-manager": "0.0.1",
   "tools/junit-openfeature": "0.2.1",
   "tools/flagd-http-connector": "0.0.4",
   "tools/flagd-api": "1.0.0",

@@ -45,6 +45,7 @@
         <module>providers/optimizely</module>
         <module>providers/multiprovider</module>
         <module>providers/ofrep</module>
+        <module>providers/gcp-secret-manager</module>
         <module>tools/flagd-http-connector</module>
     </modules>
 

@@ -0,0 +1 @@
+
-
+# Changelog
+
+## 0.0.1
+
+### ✨ New Features
+
+* Initial release of the GCP Secret Manager OpenFeature provider.
-
+# Changelog
+
+## 0.0.1
+
+### ✨ New Features
+
+* Initial release of the GCP Secret Manager OpenFeature provider.
@@ -0,0 +1,121 @@
+# GCP Secret Manager Provider
+
+An OpenFeature provider that reads feature flags from [Google Cloud Secret Manager](https://cloud.google.com/secret-manager), purpose-built for secrets requiring versioning, rotation, and fine-grained IAM access control.
+
+## Installation
+
+<!-- x-release-please-start-version -->
+```xml
+<dependency>
+    <groupId>dev.openfeature.contrib.providers</groupId>
+    <artifactId>gcp-secret-manager</artifactId>
+    <version>0.0.1</version>
+</dependency>
+```
+<!-- x-release-please-end-version -->
+
+## Quick Start
+
+```java
+import dev.openfeature.contrib.providers.gcpsecretmanager.GcpSecretManagerProvider;
+import dev.openfeature.contrib.providers.gcpsecretmanager.GcpSecretManagerProviderOptions;
+import dev.openfeature.sdk.OpenFeatureAPI;
+
+GcpSecretManagerProviderOptions options = GcpSecretManagerProviderOptions.builder()
+    .projectId("my-gcp-project")
+    .build();
+
+OpenFeatureAPI.getInstance().setProvider(new GcpSecretManagerProvider(options));
+
+// Evaluate a boolean flag stored as secret "enable-dark-mode" with value "true"
+boolean darkMode = OpenFeatureAPI.getInstance().getClient()
+    .getBooleanValue("enable-dark-mode", false);
+```
+
+## How It Works
+
+Each feature flag is stored as an individual **secret** in GCP Secret Manager. The flag key maps directly to the secret name (with an optional prefix). The `latest` version is accessed by default.
+
+Supported raw value formats:
+
+| Flag type | Secret value example |
+|-----------|---------------------|
+| Boolean   | `true` or `false`   |
+| Integer   | `42`                |
+| Double    | `3.14`              |
+| String    | `dark-mode`         |
+| Object    | `{"color":"blue","level":3}` |
+
+## Authentication
+
+The provider uses [Application Default Credentials (ADC)](https://cloud.google.com/docs/authentication/provide-credentials-adc) by default. No explicit credentials are required when running on GCP infrastructure (Cloud Run, GKE, Compute Engine) or when `gcloud auth application-default login` has been run locally.
+
+To use explicit credentials:
+
+```java
+import com.google.auth.oauth2.ServiceAccountCredentials;
+import java.io.FileInputStream;
+
+GoogleCredentials credentials = ServiceAccountCredentials.fromStream(
+    new FileInputStream("/path/to/service-account-key.json"));
+
+GcpSecretManagerProviderOptions options = GcpSecretManagerProviderOptions.builder()
+    .projectId("my-gcp-project")
+    .credentials(credentials)
+    .build();
+```
+
+## Configuration Options
+
+| Option | Type | Default | Description |
+|--------|------|---------|-------------|
+| `projectId` | `String` | *(required)* | GCP project ID that owns the secrets |
+| `credentials` | `GoogleCredentials` | `null` (ADC) | Explicit credentials; falls back to Application Default Credentials when null |
+| `secretVersion` | `String` | `"latest"` | Secret version to access. Use `"latest"` for the current version or a numeric string (e.g. `"3"`) to pin to a specific version |
+| `cacheExpiry` | `Duration` | `5 minutes` | How long fetched secret values are cached before re-fetching from GCP |
+| `cacheMaxSize` | `int` | `500` | Maximum number of secret values held in the in-memory cache |
+| `secretNamePrefix` | `String` | `null` | Optional prefix prepended to every flag key. E.g. prefix `"ff-"` maps flag `"my-flag"` to secret `"ff-my-flag"` |
+
+## Advanced Usage
+
+### Pinning to a specific secret version
+
+```java
+GcpSecretManagerProviderOptions options = GcpSecretManagerProviderOptions.builder()
+    .projectId("my-gcp-project")
+    .secretVersion("5")  // always use version 5
+    .build();
+```
+
+### Secret name prefix
+
+```java
+GcpSecretManagerProviderOptions options = GcpSecretManagerProviderOptions.builder()
+    .projectId("my-gcp-project")
+    .secretNamePrefix("feature-flags/")
+    .build();
+```
+
+### Tuning cache for high-throughput scenarios
+
+Secret Manager has API quotas (10,000 access operations per minute per project). Use a longer `cacheExpiry` to stay within quota.
+
+```java
+GcpSecretManagerProviderOptions options = GcpSecretManagerProviderOptions.builder()
+    .projectId("my-gcp-project")
+    .cacheExpiry(Duration.ofMinutes(10))
+    .cacheMaxSize(1000)
+    .build();
+```
+
+## Running Integration Tests
+
+Integration tests require real GCP credentials and pre-created test secrets.
+
+1. Configure ADC: `gcloud auth application-default login`
+2. Create test secrets in your project (see `GcpSecretManagerProviderIntegrationTest` for the required secret names and values)
+3. Run:
+
+```bash
+GCP_PROJECT_ID=my-project mvn verify -pl providers/gcp-secret-manager -Dgroups=integration
+```
@@ -0,0 +1,77 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0
+           https://maven.apache.org/xsd/maven-4.0.0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+    <parent>
+        <groupId>dev.openfeature.contrib</groupId>
+        <artifactId>parent</artifactId>
+        <version>[1.0,2.0)</version>
+        <relativePath>../../pom.xml</relativePath>
+    </parent>
+
+    <groupId>dev.openfeature.contrib.providers</groupId>
+    <artifactId>gcp-secret-manager</artifactId>
+    <version>0.0.1</version> <!--x-release-please-version -->
+
+    <properties>
+        <!-- "-" is not allowed in automatic module names -->
+        <module-name>${groupId}.gcpsecretmanager</module-name>
+    </properties>
+
+    <name>gcp-secret-manager</name>
+    <description>GCP Secret Manager provider for OpenFeature Java SDK</description>
+    <url>https://openfeature.dev</url>
+
+    <developers>
+        <developer>
+            <id>openfeaturebot</id>
+            <name>OpenFeature Bot</name>
+            <organization>OpenFeature</organization>
+            <url>https://openfeature.dev/</url>
+        </developer>
+    </developers>
+
+    <dependencies>
+        <!-- GCP Secret Manager client -->
+        <dependency>
+            <groupId>com.google.cloud</groupId>
+            <artifactId>google-cloud-secretmanager</artifactId>
+            <version>2.57.0</version>
+        </dependency>
+
+        <!-- JSON parsing for structured flag values -->
+        <dependency>
+            <groupId>com.fasterxml.jackson.core</groupId>
+            <artifactId>jackson-databind</artifactId>
+            <version>2.21.1</version>
+        </dependency>
+
+        <dependency>
+            <groupId>org.slf4j</groupId>
+            <artifactId>slf4j-api</artifactId>
+            <version>2.0.17</version>
+        </dependency>
+
+        <!-- test-only logging implementation -->
+        <dependency>
+            <groupId>org.apache.logging.log4j</groupId>
+            <artifactId>log4j-slf4j2-impl</artifactId>
+            <version>2.25.0</version>
+            <scope>test</scope>
+        </dependency>
+    </dependencies>
+
+    <build>
+        <plugins>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-surefire-plugin</artifactId>
+                <configuration>
+                    <excludedGroups>integration</excludedGroups>
+                </configuration>
+            </plugin>
+        </plugins>
+    </build>
+</project>
@@ -0,0 +1,39 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<FindBugsFilter xmlns="https://github.com/spotbugs/filter/3.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="https://github.com/spotbugs/filter/3.0.0 https://raw.githubusercontent.com/spotbugs/spotbugs/3.1.0/spotbugs/etc/findbugsfilter.xsd">
+
+    <!-- Ignore generated dev.openfeature.flagd.grpc schemas -->
+    <Match>
+        <Package name="~dev\.openfeature\.flagd\.grpc.*" />
+    </Match>
+
+    <!-- Ignore generated dev.openfeature.flagd.sync schemas -->
+    <Match>
+        <Package name="~dev\.openfeature\.flagd\.sync.*" />
+    </Match>
+
+    <!-- Allow predictable random for backoff jitter generation -->
+    <Match>
+        <Class name="dev.openfeature.contrib.providers.flagd.resolver.common.backoff.BackoffService" />
+        <Bug pattern="PREDICTABLE_RANDOM" />
+    </Match>
+
+    <!-- Suppress: EI_EXPOSE_REP2 in ModuleMachine -->
+    <Match>
+        <Class name="dev.openfeature.contrib.providers.gofeatureflag.wasm.ModuleMachine"/>
+        <Bug pattern="EI_EXPOSE_REP2"/>
+    </Match>
+
+    <!-- Suppress: SKIPPED_CLASS_TOO_BIG in ModuleMachineFuncGroup_0 -->
+    <Match>
+        <Class name="dev.openfeature.contrib.providers.gofeatureflag.wasm.ModuleMachineFuncGroup_0"/>
+        <Bug pattern="SKIPPED_CLASS_TOO_BIG"/>
+    </Match>
+
+    <!-- All bugs in test classes, except for JUnit-specific bugs -->
+    <Match>
+        <Class name="~.*\.*Test" />
+        <Not>
+            <Bug code="IJU" />
+        </Not>
+    </Match>
+</FindBugsFilter>
@@ -0,0 +1,89 @@
+package dev.openfeature.contrib.providers.gcpsecretmanager;
+
+import java.time.Duration;
+import java.time.Instant;
+import java.util.Collections;
+import java.util.LinkedHashMap;
+import java.util.Map;
+import java.util.Optional;
+
+/**
+ * Thread-safe TTL-based in-memory cache for flag values fetched from GCP Secret Manager.
+ *
+ * <p>Entries expire after the configured {@code ttl}. When the cache reaches {@code maxSize},
+ * the entry with the earliest insertion time is evicted in O(1) via {@link LinkedHashMap}'s
+ * insertion-order iteration and {@code removeEldestEntry}.
+ */
+class FlagCache {
+
+    private final Map<String, CacheEntry> store;
+    private final Duration ttl;
+
+    FlagCache(Duration ttl, int maxSize) {
+        this.ttl = ttl;
+        this.store = Collections.synchronizedMap(
+                new LinkedHashMap<String, CacheEntry>(16, 0.75f, false) {
+                    @Override
+                    protected boolean removeEldestEntry(Map.Entry<String, CacheEntry> eldest) {
+                        return size() > maxSize;
+                    }
+                });
+    }
+
+    /**
+     * Returns the cached value for {@code key} if present and not expired.
+     *
+     * @param key the cache key
+     * @return an {@link Optional} containing the cached string, or empty if absent/expired
+     */
+    Optional<String> get(String key) {
+        CacheEntry entry = store.get(key);
+        if (entry == null) {
+            return Optional.empty();
+        }
+        if (entry.isExpired()) {
+            store.remove(key);
+            return Optional.empty();
+        }
+        return Optional.of(entry.value);
+    }
+
+    /**
+     * Stores {@code value} under {@code key}. Eviction of the oldest entry (when the cache is
+     * full) is handled automatically by the underlying {@link LinkedHashMap}.
+     *
+     * @param key   the cache key
+     * @param value the value to cache
+     */
+    void put(String key, String value) {
+        store.put(key, new CacheEntry(value, ttl));
+    }
+
+    /**
+     * Removes the entry for {@code key}, forcing re-fetch on next access.
+     *
+     * @param key the cache key to invalidate
+     */
+    void invalidate(String key) {
+        store.remove(key);
+    }
+
+    /** Removes all entries from the cache. */
+    void clear() {
+        store.clear();
+    }
+
+    private static final class CacheEntry {
+        final String value;
+        final Instant expiresAt;
+
+        CacheEntry(String value, Duration ttl) {
+            this.value = value;
+            this.expiresAt = Instant.now().plus(ttl);
+        }
+
+        boolean isExpired() {
+            return Instant.now().isAfter(expiresAt);
+        }
+    }
+}