12

I have a requirement to retrieve credentials from AWS Secret Manager, and I found that I need to add the gradle dependency for the following starter 

spring-cloud-starter-aws-secrets-manager-config

Also, i found that I need to add the following settings in Bootstrap.yml

Property Configurations

I'm unclear how secret key could be accessed in my Spring Boot Application if someone could chime in much appreciated.

pubudut
  • 603
  • 2
  • 8
  • 18
  • When do you need these credentials/what are these credentials for? You could retrieve these credentials at runtime - https://docs.aws.amazon.com/code-samples/latest/catalog/java-secretsmanager-src-main-java-aws-example-secretsmanager-GetSecretValue.java.html – committedandroider Jun 04 '19 at 21:22
  • 1
    I figured out that there is no additional configuration required only thing need to be completed is setting up my secrets in AWS secret manager console.All the secrets are available with specific key I have specified. – pubudut Jun 04 '19 at 22:00

5 Answers5

9

I would like to share my findings on SecretManager integration with Spring Boot application.

Step 1. Add spring-cloud-starter-aws-secrets-manager-config dependency in Spring Boot Application ( Gradle and Maven ways of adding dependency is different).

Step 2. Add the following configuration in bootstrap.yml file.

aws:
  secretsmanager:
    prefix: /secret
    defaultContext: application
    profileSeparator: _
    failFast: true
    name: <service_name>
    enabled: true

Step 3. create secrets in AWS Management console for the region required.

There are two secrets contexts

  1. Application context - Shared secrets across all services.
  2. Service context - secrets specific to service.

Final note on creating secrets,Secrets could be created for each environments.

For example,

/secret/service_name_dev/username

/secret/service_name_prod/username

Application context secrets could be created according to following format.

/secret/application/username

Once Spring Boot application started with above settings, Application will load secrets from AWS Secret Manager based on active profile.

For example, for a dev profile, it will load the secret /secret/service_name_dev/username, and the value could be accessed in configuration as well as in classes using ${username} mapping.

pubudut
  • 603
  • 2
  • 8
  • 18
  • what spring boot version where you using? it is not working for me. I'm migrating from a spring boot 1.5 to 2.1.6 – Vetras Jul 09 '19 at 11:34
  • that my issue :) the only error i get is "cant create bean of type X" where X is my class that needs the aws secrets as config – Vetras Jul 09 '19 at 12:07
  • found my problem. not related to this. I was missing a @ComponentScan(...) on my MainApp Class – Vetras Jul 09 '19 at 13:25
  • it is not working with Spring Boot 2 at all. I have the error: java.lang.NoSuchMethodError: org.springframework.boot.builder.SpringApplicationBuilder.([Ljava/lang/Object;)V – Alex Jul 10 '19 at 21:27
  • @Alex probably you have dependency conflict.I had similar issue with spring-cloud-aws-context – pubudut Jul 10 '19 at 21:42
  • @pubudut yes, the Greenwich.SR1 BOM needs to be used. Unfortunately, the Spring Cloud Documentation is very unclear about that. – Alex Jul 11 '19 at 19:27
  • true i had to go through bit of hassle to understand how to do documentation is not clear – pubudut Jul 11 '19 at 19:34
  • Is there a way not to incldue the profile? My secret is just /secret/service_name/username but SpringBoot insists in looking for /secret/service_name_dev/username_development, hilariously, if I regenerate the secret so it is /secret/service_name/username_development then SpringBoot fails because it looks for /secret/service_name/username – tommylii May 19 '20 at 17:15
  • Is there any solution to remove the slash, all my secrets doesn't have the prefix / or /secret, please let me know if you have any approach . I use the same library from spring cloud: spring-cloud-starter-aws-secrets-manager-config. Many thanks! – mesmed Oct 16 '20 at 20:21
  • @mesmed Per this [page](https://cloud.spring.io/spring-cloud-static/spring-cloud-aws/2.1.0.RELEASE/multi/multi__cloud_environment.html), you can configure the prefix using aws.secretsmanager.prefix property – Tarun Varshney Jun 29 '21 at 13:13
8

If you are using springboot 2.4+ the bootstrap method has been deprecated. The new way of integrate aws secret manager is this:

  1. Add the following dependency to your app:

     <dependency>
     <groupId>io.awspring.cloud</groupId>
     <artifactId>spring-cloud-starter-aws-secrets-manager-config</artifactId>
     <version>${version}</version>
 </dependency>

  2. Add the following configuration:

    spring.config.import: aws-secretsmanager:<your secret name in aws>

That's it!

Doraemoe
  • 129
  • 2
  • 11
3

The answer above maybe wrong. The configuration store in secret manager should be: key: /secret/application value: {"username":"test"}

chuang chen
  • 41
  • 3
1

For enabling aws secrets manager with spring boot application configuration is not required We are just required to add below dependencies

<dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-starter-aws-secrets-manager-config</artifactId>
<!--<version> As per your spring-cloud-dependencies And starter parent version 
</version>-->
</dependency>

If you are not having spring-cloud-context dependency add the same in your pom as well.

It enables the spring app to connect to your cloud and after that you can read secrets same way as you read them from properties file. You can customize the properties configuration if you want, read the spring docs. https://cloud.spring.io/spring-cloud-aws/2.1.x/multi/multi__cloud_environment.html

After adding above changes to your code lets move to aws console and open secrets manger to add new secret for our application and follow below steps Lets assume we are having a spring.application.name=secretmanagerboot and parameter name as "com.secretmanagerboot.secret.param1" and its value is "secretvalue"

  1. Click store on new secret
  2. Select Other Types of secrets
  3. Add parameter name as "com.secretmanagerboot.secret.param1" and parameter value as "secretvalue"
  4. Click Next
  5. Add secret name as secretmanagerboot<_PROFILE> You can add description if you want.
  6. Click Next and select your rotation policy

You can access your param in application as @Value("${com.secretmanagerboot.secret.param1}")

nirvana124
  • 903
  • 1
  • 9
  • 12
0

If you are using Spring Boot V 2.6.2 then this our POM:

For Spring Boot:

<parent>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-parent</artifactId>
    <version>2.6.2</version>
</parent>

We have this to have all the related dependencies with the same version for aws java sdk 2:

<dependencyManagement>
    <dependencies>
        <dependency>
            <groupId>software.amazon.awssdk</groupId>
            <artifactId>bom</artifactId>
            <version>2.17.136</version>
            <type>pom</type>
            <scope>import</scope>
        </dependency>
    </dependencies>
</dependencyManagement>

And then in our case we just use the SecretManager so we have:

<dependency>
    <groupId>software.amazon.awssdk</groupId>
    <artifactId>secretsmanager</artifactId>
    <version>2.17.121</version>
</dependency>

I had many difficulties in the dependencies because we needed sdk 2 and not one. One general rule for aws dependency is that if you see com.amazonaws then it is sdk v1. Donot use them if you need sdk v2

Mohamad Eghlima
  • 970
  • 10
  • 23