Importing secrets in Spring Boot application from AWS Secrets Manager

Question

I stored my MySQL DB credentials in AWS secrets manager using the Credentials for other database option. I want to import these credentials in my application.properties file. Based on a few answers I found in this thread, I did the following:

1. Added the dependency spring-cloud-starter-aws-secrets-manager-config
2. Added spring.application.name = <application name> and spring.config.import = aws-secretsmanager: <Secret name> in application.properties
3. Used secret keys as place holders in the following properties:

spring.datasource.url = jdbc:mysql://${host}:3306/db_name
spring.datasource.username=${username}
spring.datasource.password=${password}

I am getting the following error while running the application:

java.lang.IllegalStateException: Unable to load config data from 'aws-secretsmanager:<secret_name>'
Caused by: java.lang.IllegalStateException: File extension is not known to any PropertySourceLoader. If the location is meant to reference a directory, it must end in '/' or File.separator

First, is the process I am following correct? If yes, what is this error regarding and how to resolve this?

Answer 1

I found the problem that was causing the error. Apparently I was adding the wrong dependency.

According to the latest docs, the configuration support for using spring.config.import to import AWS secrets has been moved to io.awspring.cloud from org.springframework.cloud. So the updated dependency would be io.awspring.cloud:spring-cloud-starter-aws-secrets-manager-config:2.3.3 and NOT org.springframework.cloud:spring-cloud-starter-aws-secrets-manager-config:2.2.6

Answer 2

You are trying to use spring.config.import, and the support for this was introduced in Spring Cloud 2.3.0:

https://spring.io/blog/2021/03/17/spring-cloud-aws-2-3-is-now-available

Secrets Manager

Support loading properties through spring.config.import, introduced in Spring Cloud 2020.0 Read more about integrating your

Spring Cloud applicationwiththe AWS secrets manager. Removed the dependency to auto-configure module #526. Dropped the dependency to javax.validation:validation-api. Allow Secrets Manager prefix without “/” in the front #736.

---

---

In spring-cloud 2020.0.0 (aka Ilford), the bootstrap phase is no longer enabled by default. In order enable it you need an additional dependency:

<dependency>
  <groupId>org.springframework.cloud</groupId>
  <artifactId>spring-cloud-starter-bootstrap</artifactId>
  <version>{spring-cloud-version}</version>
</dependency>

However, starting at spring-cloud-aws 2.3, allows import default aws' secretsmanager keys (spring.config.import=aws-secretsmanager:) or individual keys (spring.config.import=aws-secretsmanager:secret-key;other-secret-key)

https://github.com/spring-cloud/spring-cloud-aws/blob/main/docs/src/main/asciidoc/secrets-manager.adoc

---

---

application.yml

spring.config.import: aws-secretsmanager:/secrets/spring-cloud-aws-sample-app

Or try to leave it empty:

spring.config.import=aws-secretsmanager:

As such, it will take spring.application.name by default,

App:

@SpringBootApplication
public class App {

    private static final Logger LOGGER = LoggerFactory.getLogger(App.class);

    public static void main(String[] args) {
        SpringApplication.run(App.class, args);
    }

    @Bean
    ApplicationRunner applicationRunner(@Value("${password}") String password) {
        return args -> {
            LOGGER.info("`password` loaded from the AWS Secret Manager: {}", password);
        };
    }

}