How to integrate AWS Secret Manager with Spring Boot Application

9
votes

I have a requirement to retrieve credentials from AWS Secret Manager, and I found that I need to add the gradle dependency for the following starter 

spring-cloud-starter-aws-secrets-manager-config

Also, i found that I need to add the following settings in Bootstrap.yml

Property Configurations

I'm unclear how secret key could be accessed in my Spring Boot Application if someone could chime in much appreciated.

3
amazon-web-servicesspring-bootaws-secrets-manager
When do you need these credentials/what are these credentials for? You could retrieve these credentials at runtime - docs.aws.amazon.com/code-samples/latest/catalog/…committedandroider
I figured out that there is no additional configuration required only thing need to be completed is setting up my secrets in AWS secret manager console.All the secrets are available with specific key I have specified.pubudut

3 Answers

7
votes

I would like to share my findings on SecretManager integration with Spring Boot application.

Step 1. Add spring-cloud-starter-aws-secrets-manager-config dependency in Spring Boot Application ( Gradle and Maven ways of adding dependency is different).

Step 2. Add the following configuration in bootstrap.yml file.

aws:
  secretsmanager:
    prefix: /secret
    defaultContext: application
    profileSeparator: _
    failFast: true
    name: <service_name>
    enabled: true

Step 3. create secrets in AWS Management console for the region required.

There are two secrets contexts

  1. Application context - Shared secrets across all services.
  2. Service context - secrets specific to service.

Final note on creating secrets,Secrets could be created for each environments.

For example,

/secret/service_name_dev/username

/secret/service_name_prod/username

Application context secrets could be created according to following format.

/secret/application/username

Once Spring Boot application started with above settings, Application will load secrets from AWS Secret Manager based on active profile.

For example, for a dev profile, it will load the secret /secret/service_name_dev/username, and the value could be accessed in configuration as well as in classes using ${username} mapping.

2
votes

For enabling aws secrets manager with spring boot application configuration is not required We are just required to add below dependencies

<dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-starter-aws-secrets-manager-config</artifactId>
<!--<version> As per your spring-cloud-dependencies And starter parent version 
</version>-->
</dependency>

If you are not having spring-cloud-context dependency add the same in your pom as well.

It enables the spring app to connect to your cloud and after that you can read secrets same way as you read them from properties file. You can customize the properties configuration if you want, read the spring docs. https://cloud.spring.io/spring-cloud-aws/2.1.x/multi/multi__cloud_environment.html

After adding above changes to your code lets move to aws console and open secrets manger to add new secret for our application and follow below steps Lets assume we are having a spring.application.name=secretmanagerboot and parameter name as "com.secretmanagerboot.secret.param1" and its value is "secretvalue"

  1. Click store on new secret
  2. Select Other Types of secrets
  3. Add parameter name as "com.secretmanagerboot.secret.param1" and parameter value as "secretvalue"
  4. Click Next
  5. Add secret name as secretmanagerboot<_PROFILE> You can add description if you want.
  6. Click Next and select your rotation policy

You can access your param in application as @Value("${com.secretmanagerboot.secret.param1}")

1
votes

The answer above maybe wrong. The configuration store in secret manager should be: key: /secret/application value: {"username":"test"}