AWS secret manager Password Rotation Without Restarting Spring boot application

Question

Requirement

Remove DB credentials from Java Code(property files) to AWS SM.

Implement autorotation of DB credentials.

Problem Statement

Though we are able to retrieve DB credentials from AWS SM from our application, but we are facing below issues during auto rotation of passwords:

How Java Code will identify that DB passwords are rotated by AWS SM

All the instances of application should be updated with new DB credentials after automatic password rotation from AWS SM.

Proposed Solution

Solution 1

Whenever passwords are rotated, java application won’t be able to connect to DB.

At that time, we will get SQL Connection exception (Connection lost exception) in our application.

Java Application will catch the exception & then add a mechanism to retrieve the DB secrets again from AWS SM.

Set up new Db connection with the updated credentials.

Step 3 & 4 would be done for all the instances of the application

Solution 2

We can call refresh method and will set up new DB connection automatically & avoid SQL Connection exception .

Is there any way without any db connection issues? we can rotate db password using aws SM

Answer 1

Yes, there is an AWS Secrets Manager JDBC Library which is basically a wrapper to common JDBC drivers with support to AWS Secrets.

This wrapper tries to connect to the database. If an authentication exception is caught, it will refresh the secrets to provide a valid connection.

Here are the two steps to configure your spring boot application.

1 - Add the dependency to your pom.xml

<dependency>
   <groupId>com.amazonaws.secretsmanager</groupId>
   <artifactId>aws-secretsmanager-jdbc</artifactId>
   <version>1.0.7</version>
</dependency>

2 - Setup the database connection on your application.yaml

spring:
  datasource:
    url: jdbc-secretsmanager:mysql://database-host:3306/rotate_db
    username: secret/rotation
    driver-class-name: com.amazonaws.secretsmanager.sql.AWSSecretsManagerMySQLDriver

• The username is actually the secret name created at AWS Secrets.
• Make sure to use the right URL, in this example it is a URL for MySQL.