I have having a spring boot dockerize application running inside fargate cluster.This is application uses aurora DB. I want to store DB password and API key in AWS Secret Manager.My idea was to make a API from Application and fetch the secret from secret maneger. But architect is saying this is not best approach.
What would be other better ways to achieve this ?
ECS provides a tutorial for specifying sensitive data to your cluster using Secrets Manager: https://docs.aws.amazon.com/AmazonECS/latest/userguide/specifying-sensitive-data-tutorial.html.
As for database credentials, if your application is written in Java, the best way to provide rotation-safe credentials to your application is to use the AWS-provided JDBC client library: https://github.com/aws/aws-secretsmanager-jdbc. Then you can safely setup rotation on your database credentials since the library will automatically pull from Secrets Manager and retry connections on authentication failures.
You'll want to use IAM Database authentication. Assign an IAM role to your Fargate task with permissions to access your Aurora cluster and voila! No password required.
Have you looked into making your code call the Secrets Manager API directly? I wouldn't suggest building an API when one already exists, this can also be used to handle rotated credentials.
Starting point: AWS Java SDK Documentation
