How to Use AWS Secrets Manager in Spring Boot?
AWS secret manager is most popular AWS service used for storing service secrets and other environment variables used for deploying applications. Spring applications use most of the variables defined in the application.properties file. In this article, we will see how to use AWS secret manager in Spring Boot and use it to secret variables.
Primary Terminologies:
- Secret Manager: Secret manager is a service offered by AWS for managing Secret credentials, Database Credentials, API keys and other secrets.
- Spring Boot: Spring boot is a Java framework built for developing microservices and web-based REST applications.
- Secrets: Secrets are properties stored in the AWS Secret Manager.
How to use AWS Secrets Manager in Spring Boot :
To configure AWS Secrets Manager in Spring Boot first, let’s create a sample Spring Boot project. For this article, we will create a project with a simple controller and configuration class containing code for a secret manager. You can download the reference code from here.
To use secret manager in the spring project AWS SDK must be configured with credentials follow the steps in the below docs to configure AWS credentials and SDK.
AWS JAVA SDK configuration
Step 1: Create Spring Boot Project
- Create a spring boot project with your favorite IDE.
- Make sure to add the following dependencies in the project inside the pom.xml file.
<dependency>
<groupId>org.projectlombok</groupId>
<artifactId>lombok</artifactId>
<optional>true</optional>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-test</artifactId>
<scope>test</scope>
</dependency>
<dependency>
<groupId>com.amazonaws</groupId>
<artifactId>aws-java-sdk-core</artifactId>
<version>1.12.721</version>
</dependency>
<dependency>
<groupId>software.amazon.awssdk</groupId>
<artifactId>secretsmanager</artifactId>
<version>2.25.50</version>
</dependency>
<dependency>
<groupId>software.amazon.awssdk</groupId>
<artifactId>sso</artifactId>
<version>2.25.50</version>
</dependency>
<dependency>
<groupId>software.amazon.awssdk</groupId>
<artifactId>ssooidc</artifactId>
<version>2.25.52</version>
</dependency>
Step 2 : Add code in project
- First, create a sample controller which will contain a route for fetching secrets from the secret manager class.
@Autowired
SecretManagerConfig secretManagerConfig;
@GetMapping("/getsecret")
public String getSecret(@RequestParam String secretName) {
String secretValue = SecretManagerConfig.getSecretFromAWS(secretManagerConfig.getSecretsManagerClient(), secretName).getProperty(secretName);
return secretValue;
}
- Now lets add configuration class for secret manager. In this class we will create secret manager client as below.
- The secret manager must be created in same region as mentioned below.
SecretManagerConfig(){
secretsManagerClient = SecretsManagerClient.builder().region(Region.AP_SOUTH_1).build();
}
- Finally Add method for fetching secrets from secret manger.
public static Properties getSecretFromAWS(SecretsManagerClient secretsManagerClient,String secretName)
{
Properties properties = new Properties();
try{
GetSecretValueRequest getSecretValueRequest = GetSecretValueRequest.builder()
.secretId(secretName)
.build();
GetSecretValueResponse valueResponse = secretsManagerClient.getSecretValue(getSecretValueRequest);
properties.setProperty(secretName, valueResponse.secretString());
}catch(SecretsManagerException e)
{
System.out.println(e.getMessage());
System.out.println("Error while Fetching Secrets");
}
return properties;
}
- The above method first create a request object with secret manager name . Then secret manager client is used to fetch response from AWS with request.
- The secret string from received response is then stored in properties and returned to controller.
Step 3 : Create Secret Manager in AWS
- Go to secret manager page and click on store secret .
- specify the secret you want to store. For this article we will store other type of secrets.
Specify name for the secret manager.
leave other values as default and click on store.
Step 4 : Test the application
Login to AWS for AWS SDK . We will be using SSO login
Start the spring application
Hit the get endpoint along with parameter secretName.
We will get secret string from Secret manager.
Conclusion
Thus we have successfully configured AWS Secret manager with spring boot application. Secret manager secrets can be used to set properties in application.properties which will be used by spring boot application. Fetching secrets from AWS can be further configured to fetch secrets automatically based on application events and logic.
How to use AWS Secrets Manager in Spring Boot – FAQs :
Can I use AWS Secrets Manager with other AWS services in my Spring Boot application?
Yes, AWS Secrets Manager integrates well with other AWS services like Amazon RDS, Amazon Redshift, and Amazon ECS. You can securely manage and retrieve secrets needed for these services directly from your Spring Boot application.
What should I do if a secret retrieval fails?
If secret retrieval fails, handle exceptions such as ResourceNotFoundException, InvalidRequestException, and InvalidParameterException. Implement fallback mechanisms or alerting to ensure your application can continue to function or recover gracefully.
How can I test AWS Secrets Manager integration in my local development environment?
For local testing, you can mock the Secrets Manager client or use tools like LocalStack to simulate AWS services. This allows you to test your application’s secret management logic without accessing the actual AWS environment.
How do I ensure my Spring Boot application can access AWS Secrets Manager?
Ensure your application has the necessary AWS credentials and permissions to access Secrets Manager. This can be done using environment variables, IAM roles, or AWS credentials files. Properly set up IAM policies to restrict access to only the secrets the application needs.
What are common use cases for AWS Secrets Manager in a Spring Boot application?
Common use cases include managing database credentials, storing API keys for third-party services, and securely handling sensitive configuration data required by the application.