Integrate AWS Secrets Manager With Spring Boot Application
Hi everyone ! in this blog post, I will describe ‘How to integrate AWS secrets manager to Springboot application’.I am using a simple CRUD Spring boot project to show the implementation. Please see the completed bitbucket example from here.
Simply what I am going to do is, store Mongo DB credentials in AWS secret manager. At the time of application, loading will read the AWS secret values and will connect to the DB after initializing the Spring context.
Please refer to the sequence diagram to get some idea about the integration.
Overview
What is AWS Secret manager ?
AWS Secrets Manager is a secret management service that helps you protect access to your applications, services, and IT resources. This service enables you to easily rotate, manage, and retrieve database credentials, API keys, and other secrets throughout their lifecycle.
Refer to the official document for more details: https://aws.amazon.com/about-aws/whats-new/2018/04/introducing-aws-secrets-manager/
In this post, I’m using AWS secret manager to store the Mongo DB credentials.
Technologies & Tools
Java 1.8
Maven 3.6.1
Springboot 2.2.7.RELEASE
log4j
aws-java-sdk-secretsmanager
Postman: version 9.19.2
Project Structure
Ok, let's start! our integration step by step.
Step 1: AWS Configuration
Before accessing the AWS secret manager through the application we have to build up the link between an application and the AWS provider. There are two ways to do that.
- Define AWS credentials in the project property file.
- Configure AWS CLI in the application running server.
First, one is very straightforward. But I’m going to use the second option.
As a first step, to configure the AWS CLI we have to install the AWS CLI console.
Then enter the command on your shell called ‘aws configure’. Then it will ask a few questions as follows and you have to provide valid details accordingly.
If you provided the correct details, you are ready to access AWS services remotely.
Refer to this https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-quickstart.html for more information.
Step 2: Create a new AWS Secret for our application
2.1: Go to the Secrets Manager Portal
Once you logged into the AWS account just search the ‘AWS secrets manager’.Then it will redirect you to the correct page.
2.2: Choose a Secret Type
As you can see here we have 4 secret types. The first 3 types are related to the AWS service’s credentials (Amazon RDS databases, Amazon Document databases & Amazon Redshift Cluster)
Credentials for the Databases: Is for any database-related credentials.
Other types of secret: We can store any kind of sensitive data here as a key/value pair. We can add here DB credentials too.
Ex: private/public keys, API keys, Host URLs, etc.
For this example, I’m using the Other types of a secret since it is a generic type.
2.3: Create a New Secret
2.4: Configure rotation (This is optional and you can leave it as it is)
Once you are done with this click the ‘store’ button.
2.5: Add data to the secret
Here just need to click the newly created secret. It will be re-directed to the page where you can add sensitive data as key/value pairs.
NOTE: This will allow you if only you've “write” access. Otherwise, you have to contact the person who has admin privilege to do this job.
Once yous add the data it will appear like this.
Now we successfully configured AWS secret for our application.
Step 3: POM.xml (Dependencies)
Please check the full POM file from here.
Step 4: Create a CRUD Application
Here I’m using the Employee CRUD application and I am not going to explain those steps in this post. But I will explain the class called MongoDBConfig.java and ‘AWSSecretManagerService.java’ later on under the infrastructure layer.
You guys can get a full working codebase from here. I have added comments there for every possible step.
The following parts are the main parts of this CRUD application.
- Controller layer
- Domain layer
- Service Layer
- Infrastructure layer
- Repository layer
- Validations
- Exception handling
Step 5: application.properties File & AWSSecretManagerService File changes.
In application.properties file should contain the following 3 props.
These properties are mandatory to connect to the AWS secret that we have already created.
endpoint: Secret manager host. You can get this from your AWS account.
region: Your AWS account region. You can get this from your AWS account(This will appear in the right upper corner)
secretName: The newly created secret name.
NOTE: We are not going to add any Mongo DB-related stuff here since we fetching that information from our AWS secret. This is our main goal.
To access the AWS secret we have to introduce a new service class called “AWSSecretManagerService.java” (You can give a customized name).
Here I have put comments for each possible step.
What happens here is like first, we have to connect to the AWS secret manager to access our secret profile using the properties that we have added to our application. properties file.
Then we can get the secret string object to come along with the ‘getSecretValueResponse’ response. Inside this string, the secret values are coming as key/value pairs.
Once we get that secret string we convert it to the JSON object. Then we populate those key/value pairs to the java.util.Properties object.
Inside this property object also has a key/value structure. Then we return the populated property object (secrets) to our MongoDBConfig class.
Step 6: MongoDBConfig File changes.
To connect to the Mongo DB I have created a service class called ‘MongoDBConfig’ (You can give a customized name).
Also, this is a configuration class and Spring will know that at the time of spring context loading since I have added the “@Configuration” annotation.
Here also I have added a few comments to explain the steps.
Here what happens is, that when the application starts spring context will initialize.
According to line 29, @PostConstruct will execute and fetch all the secret values as java.util.Properties object from AWSSecretManagerService class.
According to the “@Configuration” annotation, Spring will execute this as a configuration class.
Now all Mongo DB properties are in our hands 👍 and a connection has been established 👍.
The steps above that I have explained will happen at the time of the spring boot application running. Those happen very quickly.
NOTE: Usually, in our spring projects, we fetch those properties from the application.properties file. But as I showed earlier, we never added DB-related properties into it since all properties are fetched from AWS secret that we newly created.
Now it is ready to connect and get the data according to your REST endpoint request.
Step 7: Testing.
To test this I'm using Postman. Once we run the application we can access the data in the usual manner. Please see some examples given below.
Create Employee
Retrieve Employee By Id
Ok ! we did 👍 all the things related to our topic including the testing.
Please visit a completed working codebase from here and I have explained every possible step in the comment section of the codebase. Please leave a comment if you have concerns or questions.
