AWS Secret Manager Service as application properties with Spring boot

Secrets Manager enables us to supersede hardcoded credentials in our code, including passwords, with an API call to Secrets Manager to retrieve the secret programmatically. These avails ascertain the secret can't be compromised by someone examining our code, because the secret no longer subsists in the code. Withal, we can configure Secrets Manager to automatically rotate the secret for us according to a designated schedule. This enables us to supersede long-term secrets with short-term ones, significantly abbreviating the peril of compromise.

Overview


1. The admin creates a new secret in AWS Secrets Manager
2. A Spring Boot application uses the secret name to access the secrets stored in AWS Secrets Manager

Step 1: Create & Store secrets in AWS Secret Manager.

Use the AWS Console to create and store a new secret in AWS Secrets Manager. Link

Step 2: Add the below dependency to the pom.xml file.

<dependency>
    <groupId>com.amazonaws</groupId>
    <artifactId>aws-java-sdk-secretsmanager</artifactId>
    <version>1.11.942</version>
</dependency>

Programmatic approach

Step 3: Create an application listener class to retrieve secrets

package com.knf.aws.secretmanager.demo.listner;

import java.io.IOException;
import java.util.Properties;
import org.springframework.boot.context.event.ApplicationPreparedEvent;
import org.springframework.context.ApplicationListener;
import org.springframework.core.env.ConfigurableEnvironment;
import org.springframework.core.env.PropertiesPropertySource;
import com.amazonaws.services.secretsmanager.AWSSecretsManager;
import com.amazonaws.services.secretsmanager.AWSSecretsManagerClientBuilder;
import com.amazonaws.services.secretsmanager.model.DecryptionFailureException;
import com.amazonaws.services.secretsmanager.model.GetSecretValueRequest;
import com.amazonaws.services.secretsmanager.model.GetSecretValueResult;
import com.amazonaws.services.secretsmanager.model.InternalServiceErrorException;
import com.amazonaws.services.secretsmanager.model.InvalidParameterException;
import com.amazonaws.services.secretsmanager.model.InvalidRequestException;
import com.amazonaws.services.secretsmanager.model.ResourceNotFoundException;
import com.fasterxml.jackson.databind.JsonNode;
import com.fasterxml.jackson.databind.ObjectMapper;

public class PropertiesListener implements 
              ApplicationListener<ApplicationPreparedEvent> {

    private ObjectMapper mapper = new ObjectMapper();
    private static final String AWS_SECRET_NAME = "<AWS_SECRET_NAME>";
    private static final String AWS_REGION = "<AWS_REGION>";
    private static final String USERNAME = "username";
    private static final String PASSWORD = "password";

    @Override
    public void onApplicationEvent(ApplicationPreparedEvent event) {
        // Get username and password from AWS Secret Manager using secret name
        String secretJson = getSecret();
        String database = getString(secretJson, USERNAME);
        String uri = getString(secretJson, PASSWORD);
        ConfigurableEnvironment environment = event.
                        getApplicationContext().getEnvironment();
        Properties props = new Properties();
        props.put(USERNAME, database);
        props.put(PASSWORD, uri);
        environment.getPropertySources().addFirst
                 (new PropertiesPropertySource("aws.secret.manager", props));
    }

    private String getSecret() {
       // Create a Secrets Manager client
        AWSSecretsManager client = AWSSecretsManagerClientBuilder.
                       standard().withRegion(AWS_REGION).build();
        String secret = null;
        GetSecretValueRequest getSecretValueRequest = new 
                        GetSecretValueRequest().withSecretId(AWS_SECRET_NAME);
        GetSecretValueResult getSecretValueResult = null;
        try {
            getSecretValueResult = client.getSecretValue(getSecretValueRequest);
            if (getSecretValueResult != null && getSecretValueResult.
                                    getSecretString() != null) {
                secret = getSecretValueResult.getSecretString();
            }
        } catch (DecryptionFailureException | InternalServiceErrorException 
                                             | InvalidParameterException
                | InvalidRequestException | ResourceNotFoundException e) {

            return null;
        }
        return secret;
    }

    private String getString(String json, String path) {
        try {
            JsonNode root = mapper.readTree(json);
            return root.path(path).asText();
        } catch (IOException e) {

            return null;
        }
    }
}


Step 4: Add the new application listener to the spring.factories

We will also need to add the new application listener to the spring.factories file in the folder src/main/resources/META-INF/spring.factories:
org.springframework.context.ApplicationListener=com.knf.aws.secretmanager.demo.listner.PropertiesListener

More...


Comments

Post a Comment

Popular posts from this blog

Spring Boot OpenAI Integration: Step-by-Step Guide

Image
Here's a simple explanation: User Interaction : The User interacts with Postman to send requests (e.g., test API endpoints of the Spring Boot application). Postman : Postman sends requests to the Spring Boot Application . Spring Boot Application : Postman calls the Controller in the Spring Boot application. The Controller handles the incoming requests and delegates the logic to the Service layer. The Service interacts with the OpenAiClient to perform the actual communication with OpenAI. External System : The OpenAiClient sends the request to the OpenAI API to get a response. The response flows back through the layers ( OpenAiClient → Service → Controller ) and is returned to the user via Postman . To integrate ChatGPT into a Spring Boot application, you can use the OpenAI API to send requests to ChatGPT and get responses. Below is an example of how you can create a simple Spring Boot service that integrates with OpenAI's API to use ChatGPT. 1: Set up your Spring Boo...
Read more

Orchestration-Based Saga Architecture and Spring Boot Microservices Implementation Guide

Image
The image illustrates an orchestration-based saga pattern for handling distributed transactions across two microservices: Order Service and Customer Service . This approach uses a central orchestrator (the saga) to coordinate the interactions between services and ensure consistency. Here’s an end-to-end explanation of the flow: 1. Order Creation Request A client sends an HTTP POST /orders request to the Order Controller in the Order Service . The Order Controller is responsible for receiving the request and delegating it to the Order Service . 2. Order Creation in the Saga The Order Service invokes the create() method in the Create Order Saga . The Create Order Saga is the orchestrator responsible for coordinating the steps involved in completing the transaction. 3. Order Aggregate Creation The Create Order Saga initiates the creation of the Order aggregate in the Order Service . The Order aggregate represents the state and business logic of the order. 4. Reserve Credit Com...
Read more

Spring Boot 3 + Angular 15 + Material - Full Stack CRUD Application Example

Image
In this section we will develop a full-stack application that is a basic Student management application using Spring Boot 3, Angular 15, Material and PostgreSQL. You could download the source code from our GitHub repository, the download link is provided at the end of this article. After completing this tutorial what we will build?   We will build a full-stack web application that is a basic Student Management Application with CRUD features:  Create Student List Student Update Student  Delete Student Technologies used: Spring Boot 3+ Spring Data JPA PostgreSQL Java 17 Angular 15 Angular Material UI 1. Backend Development Creating a Spring boot web application First, open the Spring initializr: https://start.spring.io/   Then, Provide the Group and Artifact name. We have provided Group name com.knf.dev.demo and Artifact spring-boot3-postgresql-crud-app . Here I selected the Maven project - language Java 17 ,  Spring Boot 3.1.4  (latest) and add Sp...
Read more