How to load AWS Secrets automatically on application startup in Spring Boot?

You can load AWS secrets from AWS Secrets Manager without writing any code in Spring Boot!

And this happens automatically during application start up.

This can be done by adding a single property in your application.yml file:

spring.config.import

Using bootstrap.yml file to do this has been deprecated and it is advisable to use this option now.

Here is how to do it:

STEP1: Add the dependencies

To enable this feature you need to add the below dependency:

<dependency>
			<groupId>io.awspring.cloud</groupId>
			<artifactId>spring-cloud-starter-aws-secrets-manager-config</artifactId>
			<version>2.3.0</version>

		</dependency>

Note the group id : io.awspring.cloud

It should not be org.springframework.cloud which is the default one you will get if you do a google search. It won’t work for this group id. I spent quite a bit of time figuring this out.

STEP2: Add the configuration

Add the spring.config.import property in application.yml file:

spring.config.import: aws-secretsmanager:test/secretmanager


Notice the aws-secretsmanager prefix.

This is needed to tell Spring to fetch secrets from AWS Secrets Manager.

The secret name is specified after the prefix separated by a colon:

test/secretmanager.

I created this secret in my AWS Secrets Manager console.

Here is how to create a secret in AWS Secrets Manager: Creating a secret in AWS Secrets Manager

If you have many secrets to fetch you can separate them using semicolons:

spring.config.import: aws-secretsmanager:test/secretmanager;test/mysecret;dev/mysecret

Usually secrets are created starting with “/” (“/test/mysecret”) . If you had created that way make sure you enter the forward slash before the secret name:

spring.config.import: aws-secretsmanager:/test/secretmanager;/test/mysecret;/dev/mysecret



If on startup your application can’t fetch the secrets , your app won’t start.

To prevent this you can add “optional” keyword before aws-secretsmanager prefix:

spring.config.import: optional:aws-secretsmanager:test/secretmanager





STEP3: Configure AWS Credentials in local

If you are trying to fetch the secrets from your local machine then you need to configure aws access credentials in your local else this step can be skipped.

Here is how to do it: Set up AWS Credentials in local

STEP4: TEST

Let’s test if the above steps worked now.

I used Spring Boot Commandline Runner to test the above feature.

Here is my code:

package com.example.bootstrap;

import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.boot.CommandLineRunner;
import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.SpringBootApplication;
import org.springframework.core.env.Environment;

@SpringBootApplication
public class BootstrapawssecretsnewApplication implements CommandLineRunner {

	@Autowired
	private Environment environment;

	public static void main(String[] args) {
		SpringApplication.run(BootstrapawssecretsnewApplication.class, args);
	}

	@Override
	public void run(String... args) throws Exception {

		System.out.println("Secret is " + environment.getProperty("mysecret"));

	}

}

Just trying to fetch the secret as if it another property. Spring loads the secret automatically and makes it available as a property. You can also fetch this using @Value(..) annotation.

Here is the output:

It worked!

I had stored the value “Hello Secret!” as the secret value and it got printed.

Here is the entire code:

https://github.com/vijaysrj/bootstrapawssecrets

Ref:

https://github.com/awspring/spring-cloud-aws/tree/2.3.x/spring-cloud-aws-samples/spring-cloud-aws-secrets-manager-sample


Posted

in

by

Comments

6 responses to “How to load AWS Secrets automatically on application startup in Spring Boot?”

  1. Tom Avatar
    Tom

    Hi. Sorry that I ask you in this way.

    I wonder that for example I store my database’s credential on SecretManger, but then in my Springboo, I have filemy.db.password=… in application.yml.

    How can I retrieve the secret DIRECTLY into application.yml file and the properties that I want, instead of retrieve it through spring.config.import

    1. Vijay SRJ Avatar
      Vijay SRJ

      Hi , no problem ..you can do it by using bootstrap.yml file but that way is deprecated. Using spring.config.import is quite simple , you can go with that I guess

  2. helas Avatar

    Seems the groupId is wrong – io.awspring.cloud should be org.springframework.cloud

    1. Vijay SRJ Avatar
      Vijay SRJ

      That didn’t work for me , so I used the former one

  3.  Avatar
    Anonymous

    what if I need to use configserver along with aws-secretsmanager in spring.config.import

    1. Vijay SRJ Avatar
      Vijay SRJ

      I guess you can configure aws-secrets manager as additional source in spring cloud config server, havenot tried this though

Leave a Reply

Discover more from The Full Stack Developer

Subscribe now to keep reading and get access to the full archive.

Continue reading