How to load AWS Secrets automatically on application startup in Spring Boot?

You can load AWS secrets from AWS Secrets Manager without writing any code in Spring Boot!

And this happens automatically during application start up.

This can be done by adding a single property in your application.yml file:

spring.config.import

Using bootstrap.yml file to do this has been deprecated and it is advisable to use this option now.

Here is how to do it:

STEP1: Add the dependencies

To enable this feature you need to add the below dependency:

<dependency>
			<groupId>io.awspring.cloud</groupId>
			<artifactId>spring-cloud-starter-aws-secrets-manager-config</artifactId>
			<version>2.3.0</version>

		</dependency>

Note the group id : io.awspring.cloud

It should not be org.springframework.cloud which is the default one you will get if you do a google search. It won’t work for this group id. I spent quite a bit of time figuring this out.

STEP2: Add the configuration

Add the spring.config.import property in application.yml file:

spring.config.import: aws-secretsmanager:test/secretmanager

Notice the aws-secretsmanager prefix.

This is needed to tell Spring to fetch secrets from AWS Secrets Manager.

The secret name is specified after the prefix separated by a colon:

test/secretmanager.

I created this secret in my AWS Secrets Manager console.

Here is how to create a secret in AWS Secrets Manager: Creating a secret in AWS Secrets Manager

If you have many secrets to fetch you can separate them using semicolons:

spring.config.import: aws-secretsmanager:test/secretmanager;test/mysecret;dev/mysecret

Usually secrets are created starting with “/” (“/test/mysecret”) . If you had created that way make sure you enter the forward slash before the secret name:

spring.config.import: aws-secretsmanager:/test/secretmanager;/test/mysecret;/dev/mysecret

If on startup your application can’t fetch the secrets , your app won’t start.

To prevent this you can add “optional” keyword before aws-secretsmanager prefix:

spring.config.import: optional:aws-secretsmanager:test/secretmanager

STEP3: Configure AWS Credentials in local

If you are trying to fetch the secrets from your local machine then you need to configure aws access credentials in your local else this step can be skipped.

Here is how to do it: Set up AWS Credentials in local

STEP4: TEST

Let’s test if the above steps worked now.

I used Spring Boot Commandline Runner to test the above feature.

Here is my code:

package com.example.bootstrap;

import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.boot.CommandLineRunner;
import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.SpringBootApplication;
import org.springframework.core.env.Environment;

@SpringBootApplication
public class BootstrapawssecretsnewApplication implements CommandLineRunner {

	@Autowired
	private Environment environment;

	public static void main(String[] args) {
		SpringApplication.run(BootstrapawssecretsnewApplication.class, args);
	}

	@Override
	public void run(String... args) throws Exception {

		System.out.println("Secret is " + environment.getProperty("mysecret"));

	}

}

Just trying to fetch the secret as if it another property. Spring loads the secret automatically and makes it available as a property. You can also fetch this using @Value(..) annotation.

Here is the output:

It worked!

I had stored the value “Hello Secret!” as the secret value and it got printed.

Here is the entire code:

https://github.com/vijaysrj/bootstrapawssecrets

Ref:

https://github.com/awspring/spring-cloud-aws/tree/2.3.x/spring-cloud-aws-samples/spring-cloud-aws-secrets-manager-sample