1. Overview
In this tutorial, we’ll integrate a Spring Boot application with AWS Secrets Manager in order to retrieve database credentials and other types of secrets such as API keys.
2. AWS Secrets Manager
AWS Secrets Manager is an AWS service that enables us to securely store, rotate, and manage credentials, e.g., for database, API keys, tokens, or any other secrets we’d like to manage.
We can distinguish between two types of secrets – one for strictly database credentials and one more generic for any other kind of secret.
A good example of using AWS Secrets Manager is to provide some set of credentials or an API key to our application.
The recommended way of keeping secrets is in JSON format. Additionally, if we’d like to use the secret rotation feature we must use the JSON structure.
3. Integration With AWS Secrets Manager
AWS Secrets Manager can be easily integrated with our Spring Boot application. Let’s try it out by creating secrets in AWS via the AWS CLI and then retrieving them via simple configurations in Spring Boot.
3.1. Secret Creation
Let’s create a secret in AWS Secrets Manager. For that, we can use the AWS CLI and the aws secretsmanager create-secret command.
In our case, let’s name the secret test/secret/ and create two pairs of API keys – api-key1 with apiKeyValue1 and api-key2 with the value of apiKeyValue2:
aws secretsmanager create-secret \
--name test/secret/ \
--secret-string "{\"api-key1\":\"apiKeyValue1\",\"api-key2\":\"apiKeyValue2\"}"
As a response, we should get the ARN of the created secret, its name, and version id:
{
"ARN": "arn:aws:secretsmanager:eu-central-1:111122223333:secret:my/secret/-gLK10U",
"Name": "test/secret/",
"VersionId": "a04f735e-3b5f-4194-be0d-719d5386b67b"
}
3.2. Spring Boot Application Integration
In order to retrieve our new secret we have to add the spring-cloud-starter-aws-secrets-manager-config dependency:
<dependency>
<groupId>io.awspring.cloud</groupId>
<artifactId>spring-cloud-starter-aws-secrets-manager-config</artifactId>
<version>2.4.4</version>
</dependency>
The next step is to add a property in our application.properties file:
spring.config.import=aws-secretsmanager:test/secret/
We provide here the name of the secret we just created. With that set up, let’s use our new secrets in the application and verify their values.
In order to do so, we can inject our secrets into the application via the @Value annotation. In the annotation, we specify the names of the secret fields we provided during the secret creation process. In our case, it was api-key1 and api-key2:
@Value("${api-key1}")
private String apiKeyValue1;
@Value("${api-key2}")
private String apiKeyValue2;
To verify our values in this example, let’s just print them after bean property initialization in our @PostConstruct:
@PostConstruct
private void postConstruct() {
System.out.println(apiKeyValue1);
System.out.println(apiKeyValue2);
}
We should note that it’s not good practice to output secret values to our console. However, we can see in this example that when we run our application, our values have been loaded correctly:
2023-03-26 12:40:24.376 INFO 33504 [main] j.LocalContainerEntityManagerFactoryBean : Initialized JPA EntityManagerFactory for persistence unit 'default'
apiKeyValue1
apiKeyValue2
2023-03-26 12:40:25.306 INFO 33504 [main] o.s.b.w.embedded.tomcat.TomcatWebServer : Tomcat started on port(s): 8080 (http) with context path ''
4. Special Secret for Database Credentials
There is a special type of secret in AWS Secrets Manager for storing database credentials. We can pick from one of the supported databases by AWS such as Amazon RDS, Amazon DocumentDB, or Amazon Redshift. Another possibility for non-Amazon databases is to provide a server address, database name, and port.
With the use of aws-secretsmanager-jdbc library in our Spring Boot application, we can easily provide these credentials to our database. Furthermore, if we rotate the credentials in Secrets Manager, the AWS-provided library automatically retrieves a new set of credentials when it receives authentication errors using the previous credentials.
4.1. Database Secret Creation
In order to create a database type secret in AWS Secrets Manager, we’ll again use AWS CLI:
$ aws secretsmanager create-secret \
--name rds/credentials \
--secret-string file://mycredentials.json
In the above command, we’re using mycredentials.json file where we specify all necessary properties for our database:
{
"engine": "mysql",
"host": "cwhgvgjbpqqa.eu-central-rds.amazonaws.com",
"username": "admin",
"password": "password",
"dbname": "db-1",
"port": "3306"
}
4.2. Spring Boot Application Integration
Once we’ve created the secret we’re ready to use it in our Spring Boot application. For that, we’ll need to add a few dependencies such as aws-secretsmanager-jdbc and mysql-connector-java:
<dependency>
<groupId>com.amazonaws.secretsmanager</groupId>
<artifactId>aws-secretsmanager-jdbc</artifactId>
<version>1.0.11</version>
</dependency>
<dependency>
<groupId>mysql</groupId>
<artifactId>mysql-connector-java</artifactId>
<version>8.0.32</version>
</dependency>
Lastly, we also need to set up some properties in the application.properties file:
spring.datasource.driver-class-name=com.amazonaws.secretsmanager.sql.AWSSecretsManagerMySQLDriver
spring.jpa.database-platform=org.hibernate.dialect.MySQLDialect
spring.datasource.url=jdbc-secretsmanager:mysql://db-1.cwhqvgjbpgfw.eu-central-1.rds.amazonaws.com:3306
spring.datasource.username=rds/credentials
In spring.datasource.driver-class-name, we specify the name of a driver we want to use.
The next one is spring.jpa.database-platform, where we provide our dialect.
When we specify our URL for the database in spring.datasource.url we have to add jdbc-secretsmanager prefix before that URL. This is required since we’re integrating with AWS Secrets Manager. In this example, our URL refers to a MySQL RDS instance, though it could refer to any MySQL database.
In the spring.datasource.username, we only have to provide the key to the AWS Secrets Manager we set up before. Based on these properties, our application will try to connect to Secrets Manager and retrieve a username and a password before it makes a connection to the database.
In the application logs, we can see that we managed to get the connection to the database and the EntityManager has been initialized:
2023-03-26 12:40:22.648 INFO 33504 --- [ main] o.hibernate.jpa.internal.util.LogHelper : HHH000204: Processing PersistenceUnitInfo [name: default]
2023-03-26 12:40:22.697 INFO 33504 --- [ main] org.hibernate.Version : HHH000412: Hibernate ORM core version 5.6.12.Final
2023-03-26 12:40:22.845 INFO 33504 --- [ main] o.hibernate.annotations.common.Version : HCANN000001: Hibernate Commons Annotations {5.1.2.Final}
2023-03-26 12:40:22.951 INFO 33504 --- [ main] com.zaxxer.hikari.HikariDataSource : HikariPool-1 - Starting...
2023-03-26 12:40:23.752 INFO 33504 --- [ main] com.zaxxer.hikari.HikariDataSource : HikariPool-1 - Start completed.
2023-03-26 12:40:23.783 INFO 33504 --- [ main] org.hibernate.dialect.Dialect : HHH000400: Using dialect: org.hibernate.dialect.MySQL5Dialect
2023-03-26 12:40:24.363 INFO 33504 --- [ main] o.h.e.t.j.p.i.JtaPlatformInitiator : HHH000490: Using JtaPlatform implementation: [org.hibernate.engine.transaction.jta.platform.internal.NoJtaPlatform]
2023-03-26 12:40:24.376 INFO 33504 --- [ main] j.LocalContainerEntityManagerFactoryBean : Initialized JPA EntityManagerFactory for persistence unit 'default'
Additionally, there is a simple UserController created where we can create, read and remove a user.
We can use curl to create a user:
$ curl --location 'localhost:8080/users/' \
--header 'Content-Type: application/json' \
--data '{
"name": "my-user-1"
}'
And we get a successful response:
{"id":1,"name":"my-user-1"}
5. Conclusion
In this article, we learned how to integrate the Spring Boot application with AWS Secrets Manager and how to retrieve a secret both for database credentials and other types of secrets.
As always, the example code can be found over on GitHub.
