AWS Secrets Manager with Spring Boot
Since micro-services use Spring dependencies, we use the following Spring cloud dependencies to read Secrets Manager entries from AWS to override the sensitive values defined in our application.properties/ application.yml files.
Add the below dependency in your spring boot pom file.
<dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-starter-aws-secrets-manager-config</artifactId>
<version>2.1.3.RELEASE</version>
</dependency>
Spring boot Configurations
Add a spring.factories file under resources/META-INF with below contents and a Java class with the same name included in the same maven module
The spring. factories file is a file that spring automatically loads when booting up. It contains the reference to many configuration classes
spring.factories
org.springframework.cloud.bootstrap.BootstrapConfiguration=com.secrets.manager.springsecretsmanager.AwsSecretsManagerBootstrapConfiguration
Now, let's use AWS SDK to fetch secrets manager.
AwsSecretsManagerBootstrapConfiguration.java
package com.secrets.manager.springsecretsmanager.config;
import org.springframework.boot.autoconfigure.condition.ConditionalOnClass;
import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
import org.springframework.boot.context.properties.EnableConfigurationProperties;
import org.springframework.cloud.aws.secretsmanager.AwsSecretsManagerProperties;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import com.amazonaws.services.secretsmanager.AWSSecretsManager;
import com.amazonaws.services.secretsmanager.AWSSecretsManagerClientBuilder;
@Configuration
@EnableConfigurationProperties(AwsSecretsManagerProperties.class)
@ConditionalOnClass({ AWSSecretsManager.class })
@ConditionalOnProperty(prefix = AwsSecretsManagerProperties.CONFIG_PREFIX, name = “enabled”, matchIfMissing = true)
public class AwsSecretsManagerBootstrapConfiguration {
public static final String REGION = “us-east-1”;
@Bean
@ConditionalOnMissingBean
AWSSecretsManager smClient() {
return AWSSecretsManagerClientBuilder.standard().withRegion(REGION).build();
}
}Add below entries into the application.properties to suppress auto-configuration of various AWS services when Spring boot application starts which might fail for various reasons
Add bootstrap.yml file below contents in the resources directory which is available in a location/module for spring cloud to read and bootstrap the Spring boot application
https://cloud.spring.io/spring-cloud-aws/2.1.x/multi/multi__cloud_environment.html
Tweak the values for keys in the bootstrap.yml file, with the above configuration, spring cloud libraries will look for secret manager entries with following names and inject into the JVM depending on the profile used to launch the application;
/bytenovus/sm/datasource_credentials
Spring cloud look for secrets with above names and inject values from secrets manager into java application overriding values defined in the application properties/YAML files
Suppose application_dev.properties has an entry like below;
some.key=some.value
With above configuration, if /bytenovus/sm/datasource_credentials_dev has secrets defined with key/ value as below;
some.key=some.value1
When we read the value for some.key with the help of @Value using Spring libraries, we get the value some.value1 from secrets manager entry
Note: we can mark enabled to false when running in a local environment to disable reading from AWS secrets manager
Reference to the Code
AWS Console
We have step used to create secrets in AWS Secrets Manager.
Click Next
Now set up auto rotation policy.
Once rotation policy is set, click Store.
Refer my youtube video i have explained it more depth
