How to integrate AWS Secret Manager with Spring Boot Application

Question

I have a requirement to retrieve credentials from AWS Secret Manager, and I found that I need to add the gradle dependency for the following starter

spring-cloud-starter-aws-secrets-manager-config

Also, i found that I need to add the following settings in Bootstrap.yml

Property Configurations

I'm unclear how secret key could be accessed in my Spring Boot Application if someone could chime in much appreciated.

Answer 1

I would like to share my findings on SecretManager integration with Spring Boot application.

Step 1. Add spring-cloud-starter-aws-secrets-manager-config dependency in Spring Boot Application ( Gradle and Maven ways of adding dependency is different).

Step 2. Add the following configuration in bootstrap.yml file.

aws:
  secretsmanager:
    prefix: /secret
    defaultContext: application
    profileSeparator: _
    failFast: true
    name: <service_name>
    enabled: true

Step 3. create secrets in AWS Management console for the region required.

There are two secrets contexts

1. Application context - Shared secrets across all services.
2. Service context - secrets specific to service.

Final note on creating secrets,Secrets could be created for each environments.

For example,

/secret/service_name_dev/username

/secret/service_name_prod/username

Application context secrets could be created according to following format.

/secret/application/username

Once Spring Boot application started with above settings, Application will load secrets from AWS Secret Manager based on active profile.

For example, for a dev profile, it will load the secret /secret/service_name_dev/username, and the value could be accessed in configuration as well as in classes using ${username} mapping.

Answer 2

For enabling aws secrets manager with spring boot application configuration is not required We are just required to add below dependencies

<dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-starter-aws-secrets-manager-config</artifactId>
<!--<version> As per your spring-cloud-dependencies And starter parent version 
</version>-->
</dependency>

If you are not having spring-cloud-context dependency add the same in your pom as well.

It enables the spring app to connect to your cloud and after that you can read secrets same way as you read them from properties file. You can customize the properties configuration if you want, read the spring docs. https://cloud.spring.io/spring-cloud-aws/2.1.x/multi/multi__cloud_environment.html

After adding above changes to your code lets move to aws console and open secrets manger to add new secret for our application and follow below steps Lets assume we are having a spring.application.name=secretmanagerboot and parameter name as "com.secretmanagerboot.secret.param1" and its value is "secretvalue"

1. Click store on new secret
2. Select Other Types of secrets
3. Add parameter name as "com.secretmanagerboot.secret.param1" and parameter value as "secretvalue"
4. Click Next
5. Add secret name as secretmanagerboot<_PROFILE> You can add description if you want.
6. Click Next and select your rotation policy

You can access your param in application as @Value("${com.secretmanagerboot.secret.param1}")

Answer 3

If you are using springboot 2.4+ the bootstrap method has been deprecated. The new way of integrate aws secret manager is this:

1. Add the following dependency to your app:

    <dependency> <groupId>io.awspring.cloud</groupId> <artifactId>spring-cloud-starter-aws-secrets-manager-config</artifactId> <version>${version}</version> </dependency>

2. Add the following configuration:

   spring.config.import: aws-secretsmanager:<your secret name in aws>

That's it!

Answer 4

The answer above maybe wrong. The configuration store in secret manager should be: key: /secret/application value: {"username":"test"}

Answer 5

If you are using Spring Boot V 2.6.2 then this our POM:

For Spring Boot:

<parent>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-parent</artifactId>
    <version>2.6.2</version>
</parent>

We have this to have all the related dependencies with the same version for aws java sdk 2 :

<dependencyManagement>
    <dependencies>
        <dependency>
            <groupId>software.amazon.awssdk</groupId>
            <artifactId>bom</artifactId>
            <version>2.17.136</version>
            <type>pom</type>
            <scope>import</scope>
        </dependency>
    </dependencies>
</dependencyManagement>

And then in our case we just use the SecretManager so we have:

<dependency>
    <groupId>software.amazon.awssdk</groupId>
    <artifactId>secretsmanager</artifactId>
    <version>2.17.121</version>
</dependency>

I had many difficulties in the dependencies because we needed sdk 2 and not one. One general rule for aws dependency is that if you see com.amazonaws then it is sdk v1 . Donot use them if you need sdk v2

Answer 6

Also, the config in bootstrap.yml is the default settings and not needed to get this to work. Only needed to change the defaults.