How to load AWS Secrets automatically on application startup in Spring Boot?

You can load AWS secrets from AWS Secrets Manager without writing any code in Spring Boot!

And this happens automatically during application start up.

This can be done by adding a single property in your application.yml file:

spring.config.import

Using bootstrap.yml file to do this has been deprecated and it is advisable to use this option now.

Here is how to do it:

STEP1: Add the dependencies

To enable this feature you need to add the below dependency:

<dependency>
			<groupId>io.awspring.cloud</groupId>
			<artifactId>spring-cloud-starter-aws-secrets-manager-config</artifactId>
			<version>2.3.0</version>

		</dependency>

Note the group id : io.awspring.cloud

It should not be org.springframework.cloud which is the default one you will get if you do a google search. It won’t work for this group id. I spent quite a bit of time figuring this out.

STEP2: Add the configuration

Add the spring.config.import property in application.yml file:

spring.config.import: aws-secretsmanager:test/secretmanager


Notice the aws-secretsmanager prefix.

This is needed to tell Spring to fetch secrets from AWS Secrets Manager.

The secret name is specified after the prefix separated by a colon:

test/secretmanager.

I created this secret in my AWS Secrets Manager console.

Here is how to create a secret in AWS Secrets Manager: Creating a secret in AWS Secrets Manager

If you have many secrets to fetch you can separate them using semicolons:

spring.config.import: aws-secretsmanager:test/secretmanager;test/mysecret;dev/mysecret

Usually secrets are created starting with “/” (“/test/mysecret”) . If you had created that way make sure you enter the forward slash before the secret name:

spring.config.import: aws-secretsmanager:/test/secretmanager;/test/mysecret;/dev/mysecret



If on startup your application can’t fetch the secrets , your app won’t start.

To prevent this you can add “optional” keyword before aws-secretsmanager prefix:

spring.config.import: optional:aws-secretsmanager:test/secretmanager





Advertisements

STEP3: Configure AWS Credentials in local

If you are trying to fetch the secrets from your local machine then you need to configure aws access credentials in your local else this step can be skipped.

Here is how to do it: Set up AWS Credentials in local

STEP4: TEST

Let’s test if the above steps worked now.

I used Spring Boot Commandline Runner to test the above feature.

Here is my code:

package com.example.bootstrap;

import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.boot.CommandLineRunner;
import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.SpringBootApplication;
import org.springframework.core.env.Environment;

@SpringBootApplication
public class BootstrapawssecretsnewApplication implements CommandLineRunner {

	@Autowired
	private Environment environment;

	public static void main(String[] args) {
		SpringApplication.run(BootstrapawssecretsnewApplication.class, args);
	}

	@Override
	public void run(String... args) throws Exception {

		System.out.println("Secret is " + environment.getProperty("mysecret"));

	}

}

Just trying to fetch the secret as if it another property. Spring loads the secret automatically and makes it available as a property. You can also fetch this using @Value(..) annotation.

Advertisements

Here is the output:

It worked!

I had stored the value “Hello Secret!” as the secret value and it got printed.

Here is the entire code:

https://github.com/vijaysrj/bootstrapawssecrets

Ref:

https://github.com/awspring/spring-cloud-aws/tree/2.3.x/spring-cloud-aws-samples/spring-cloud-aws-secrets-manager-sample

2 thoughts

  1. Hi. Sorry that I ask you in this way.

    I wonder that for example I store my database’s credential on SecretManger, but then in my Springboo, I have filemy.db.password=… in application.yml.

    How can I retrieve the secret DIRECTLY into application.yml file and the properties that I want, instead of retrieve it through spring.config.import

    Like

    1. Hi , no problem ..you can do it by using bootstrap.yml file but that way is deprecated. Using spring.config.import is quite simple , you can go with that I guess

      Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s