Integrate AWS Secrets Manager in Spring Boot

Last updated: January 8, 2024

Written by: baeldung

Reviewed by: Ashley Frieze

Spring Boot

Refactor Java code safely — and automatically — with OpenRewrite.

Refactoring big codebases by hand is slow, risky, and easy to put off. That’s where OpenRewrite comes in. The open-source framework for large-scale, automated code transformations helps teams modernize safely and consistently.

Each month, the creators and maintainers of OpenRewrite at Moderne run live, hands-on training sessions — one for newcomers and one for experienced users. You’ll see how recipes work, how to apply them across projects, and how to modernize code with confidence.

Join the next session, bring your questions, and learn how to automate the kind of work that usually eats your sprint time.

Distributed systems often come with complex challenges such as service-to-service communication, state management, asynchronous messaging, security, and more.

Dapr (Distributed Application Runtime) provides a set of APIs and building blocks to address these challenges, abstracting away infrastructure so we can focus on business logic.

In this tutorial, we'll focus on Dapr's pub/sub API for message brokering. Using its Spring Boot integration, we'll simplify the creation of a loosely coupled, portable, and easily testable pub/sub messaging system:

>> Flexible Pub/Sub Messaging With Spring Boot and Dapr

1. Overview

In this tutorial, we’ll integrate a Spring Boot application with AWS Secrets Manager in order to retrieve database credentials and other types of secrets such as API keys.

2. AWS Secrets Manager

AWS Secrets Manager is an AWS service that enables us to securely store, rotate, and manage credentials, e.g., for database, API keys, tokens, or any other secrets we’d like to manage.

We can distinguish between two types of secrets – one for strictly database credentials and one more generic for any other kind of secret.

A good example of using AWS Secrets Manager is to provide some set of credentials or an API key to our application.

The recommended way of keeping secrets is in JSON format. Additionally, if we’d like to use the secret rotation feature we must use the JSON structure.

3. Integration With AWS Secrets Manager

AWS Secrets Manager can be easily integrated with our Spring Boot application. Let’s try it out by creating secrets in AWS via the AWS CLI and then retrieving them via simple configurations in Spring Boot.

3.1. Secret Creation

Let’s create a secret in AWS Secrets Manager. For that, we can use the AWS CLI and the aws secretsmanager create-secret command.

In our case, let’s name the secret test/secret/ and create two pairs of API keys – api-key1 with apiKeyValue1 and api-key2 with the value of apiKeyValue2:

aws secretsmanager create-secret \ 
--name test/secret/ \ 
--secret-string "{\"api-key1\":\"apiKeyValue1\",\"api-key2\":\"apiKeyValue2\"}"

As a response, we should get the ARN of the created secret, its name, and version id:

{
    "ARN": "arn:aws:secretsmanager:eu-central-1:111122223333:secret:my/secret/-gLK10U",
    "Name": "test/secret/",
    "VersionId": "a04f735e-3b5f-4194-be0d-719d5386b67b"
}

3.2. Spring Boot Application Integration

In order to retrieve our new secret we have to add the spring-cloud-starter-aws-secrets-manager-config dependency:

<dependency>
    <groupId>io.awspring.cloud</groupId>
    <artifactId>spring-cloud-starter-aws-secrets-manager-config</artifactId>
    <version>2.4.4</version>
</dependency>

The next step is to add a property in our application.properties file:

spring.config.import=aws-secretsmanager:test/secret/

We provide here the name of the secret we just created. With that set up, let’s use our new secrets in the application and verify their values.

In order to do so, we can inject our secrets into the application via the @Value annotation. In the annotation, we specify the names of the secret fields we provided during the secret creation process. In our case, it was api-key1 and api-key2:

@Value("${api-key1}")
private String apiKeyValue1;

@Value("${api-key2}")
private String apiKeyValue2;

To verify our values in this example, let’s just print them after bean property initialization in our @PostConstruct:

@PostConstruct
private void postConstruct() {
    System.out.println(apiKeyValue1);
    System.out.println(apiKeyValue2);
}

We should note that it’s not good practice to output secret values to our console. However, we can see in this example that when we run our application, our values have been loaded correctly:

2023-03-26 12:40:24.376  INFO 33504 [main] j.LocalContainerEntityManagerFactoryBean : Initialized JPA EntityManagerFactory for persistence unit 'default'
apiKeyValue1
apiKeyValue2
2023-03-26 12:40:25.306  INFO 33504 [main] o.s.b.w.embedded.tomcat.TomcatWebServer : Tomcat started on port(s): 8080 (http) with context path ''

4. Special Secret for Database Credentials

There is a special type of secret in AWS Secrets Manager for storing database credentials. We can pick from one of the supported databases by AWS such as Amazon RDS, Amazon DocumentDB, or Amazon Redshift. Another possibility for non-Amazon databases is to provide a server address, database name, and port.

With the use of aws-secretsmanager-jdbc library in our Spring Boot application, we can easily provide these credentials to our database. Furthermore, if we rotate the credentials in Secrets Manager, the AWS-provided library automatically retrieves a new set of credentials when it receives authentication errors using the previous credentials.

4.1. Database Secret Creation

In order to create a database type secret in AWS Secrets Manager, we’ll again use AWS CLI:

$ aws secretsmanager create-secret \
    --name rds/credentials \
    --secret-string file://mycredentials.json

In the above command, we’re using mycredentials.json file where we specify all necessary properties for our database:

{
  "engine": "mysql",
  "host": "cwhgvgjbpqqa.eu-central-rds.amazonaws.com",
  "username": "admin",
  "password": "password",
  "dbname": "db-1",
  "port": "3306"
}

4.2. Spring Boot Application Integration

Once we’ve created the secret we’re ready to use it in our Spring Boot application. For that, we’ll need to add a few dependencies such as aws-secretsmanager-jdbc and mysql-connector-java:

<dependency>
    <groupId>com.amazonaws.secretsmanager</groupId>
    <artifactId>aws-secretsmanager-jdbc</artifactId>
    <version>1.0.11</version>
</dependency>
<dependency>
    <groupId>mysql</groupId>
    <artifactId>mysql-connector-java</artifactId>
    <version>8.0.32</version>
</dependency>

Lastly, we also need to set up some properties in the application.properties file:

spring.datasource.driver-class-name=com.amazonaws.secretsmanager.sql.AWSSecretsManagerMySQLDriver
spring.jpa.database-platform=org.hibernate.dialect.MySQLDialect
spring.datasource.url=jdbc-secretsmanager:mysql://db-1.cwhqvgjbpgfw.eu-central-1.rds.amazonaws.com:3306
spring.datasource.username=rds/credentials

In spring.datasource.driver-class-name, we specify the name of a driver we want to use.

The next one is spring.jpa.database-platform, where we provide our dialect.

When we specify our URL for the database in spring.datasource.url we have to add jdbc-secretsmanager prefix before that URL. This is required since we’re integrating with AWS Secrets Manager. In this example, our URL refers to a MySQL RDS instance, though it could refer to any MySQL database.

In the spring.datasource.username, we only have to provide the key to the AWS Secrets Manager we set up before. Based on these properties, our application will try to connect to Secrets Manager and retrieve a username and a password before it makes a connection to the database.

In the application logs, we can see that we managed to get the connection to the database and the EntityManager has been initialized:

2023-03-26 12:40:22.648  INFO 33504 --- [           main] o.hibernate.jpa.internal.util.LogHelper  : HHH000204: Processing PersistenceUnitInfo [name: default]
2023-03-26 12:40:22.697  INFO 33504 --- [           main] org.hibernate.Version                    : HHH000412: Hibernate ORM core version 5.6.12.Final
2023-03-26 12:40:22.845  INFO 33504 --- [           main] o.hibernate.annotations.common.Version   : HCANN000001: Hibernate Commons Annotations {5.1.2.Final}
2023-03-26 12:40:22.951  INFO 33504 --- [           main] com.zaxxer.hikari.HikariDataSource       : HikariPool-1 - Starting...
2023-03-26 12:40:23.752  INFO 33504 --- [           main] com.zaxxer.hikari.HikariDataSource       : HikariPool-1 - Start completed.
2023-03-26 12:40:23.783  INFO 33504 --- [           main] org.hibernate.dialect.Dialect            : HHH000400: Using dialect: org.hibernate.dialect.MySQL5Dialect
2023-03-26 12:40:24.363  INFO 33504 --- [           main] o.h.e.t.j.p.i.JtaPlatformInitiator       : HHH000490: Using JtaPlatform implementation: [org.hibernate.engine.transaction.jta.platform.internal.NoJtaPlatform]
2023-03-26 12:40:24.376  INFO 33504 --- [           main] j.LocalContainerEntityManagerFactoryBean : Initialized JPA EntityManagerFactory for persistence unit 'default'

Additionally, there is a simple UserController created where we can create, read and remove a user.

We can use curl to create a user:

$ curl --location 'localhost:8080/users/' \
--header 'Content-Type: application/json' \
--data '{
    "name": "my-user-1"
}'

And we get a successful response:

{"id":1,"name":"my-user-1"}

5. Conclusion

In this article, we learned how to integrate the Spring Boot application with AWS Secrets Manager and how to retrieve a secret both for database credentials and other types of secrets.

The code backing this article is available on GitHub. Once you're logged in as a Baeldung Pro Member, start learning and coding on the project.