user10405172
user10405172

Reputation: 51

How do I retrieve multiple AWS Security Secrets?

Using spring-cloud-starter-aws-secrets-manager-config to retrieve AWS secrets at application start up. After defining multiple secrets in AWS secrets manager I cannot see how I can define multiple mappings to map those secrets.

bootstrap.yml

aws:
  secretsmanager:
    prefix: /secret
    defaultContext: context-name 
    profileSeparator: _
    failFast: true
    name: service-name
    enabled: true

pom.xml

<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
    <modelVersion>4.0.0</modelVersion>
    <parent>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-parent</artifactId>
        <version>2.0.9.RELEASE</version>
        <relativePath /> <!-- lookup parent from repository -->
    </parent>
    <groupId>com.example</groupId>
    <artifactId>demo</artifactId>
    <version>0.0.1-SNAPSHOT</version>
    <name>demo</name>
    <description>Demo project for Spring Boot</description>

    <properties>
        <java.version>1.8</java.version>
    </properties>

    <dependencyManagement>
        <dependencies>
            <dependency>
                <groupId>org.springframework.cloud</groupId>
                <artifactId>spring-cloud-dependencies</artifactId>
                <version>Finchley.SR4</version>
                <type>pom</type>
                <scope>import</scope>
            </dependency>
        </dependencies>
    </dependencyManagement>

    <dependencies>

        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter</artifactId>
        </dependency>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-test</artifactId>
            <scope>test</scope>
        </dependency>
        <dependency>
            <groupId>org.springframework.cloud</groupId>
            <artifactId>spring-cloud-starter-aws-secrets-manager-config</artifactId>
        </dependency>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-web</artifactId>
        </dependency>
    </dependencies>
    <build>
        <plugins>
            <plugin>
                <groupId>org.springframework.boot</groupId>
                <artifactId>spring-boot-maven-plugin</artifactId>
            </plugin>
        </plugins>
    </build>
</project>

secrets defined in AWS as /secret/context-name/val1 [foo:bar] /secret/context-name/val2 [wibble:wombat]

The underlying code in AwsSecretsManagerPropertySource seems to look for the actual secret at the following /secret/context-name /secret/context-name_ /secret/service-name /secret_service-name_

only, so never finds the secret at /secret/context-name/X

Is this expected behaviour ? if so, how would I define multiple secrets in bootstrap.yml ?

Upvotes: 4

Views: 2365

Answers (2)

unknown programmer guy
unknown programmer guy

Reputation: 308

you can define your custom(not read by spring by default) secret name via

spring:
  config:
    import: optional:aws-secretsmanager:{secret arn}

or via

spring:
  config:
    import: optional:aws-secretsmanager:{/secret/shortName}

when spring boot application boots up, it usually read and load secrets in the environment from these secrets

/prefix/application
/prefix/{your-application-name}

in addition with what you defined via spring.config.import

you can read more about it from here

Upvotes: 1

shwetap
shwetap

Reputation: 731

For me below configuration in bootstrap.yml worked

spring:
  application:
    name: AwsSecretManager
aws:
  secretsmanager:
    prefix: /secret
    defaultContext: service
    profileSeparator: _
    failFast: true
    name: AwsSecretManager
    enabled: true 
cloud:
  aws:
    stack:
      auto: false
    region:
      use-default-aws-region-chain: true
    credentials:   
      use-default-aws-credentials-chain: true

Properties defined in AWS as below

Secret name: /secret/AwsSecretManager_dev

Here dev denotes the profile for which the properties are defined.

Note: The configuration defined in bootstarp.yml is just a sample configuration for only the Secret manager service and does not make use of AWS stack. The properties will vary based on requirement.

Upvotes: 0

Related Questions