aws secrets from spring boot application

Question

I have a spring boot application hosted in AWS EKS using the AWS Oracle RDS.

What is the best way to use it in the spring boot application

1. Inject it via the library and use it - Question : does it update automatically when password is rotated ?
2. Use CSI driver and mount the secrets - Question: how do we access this file in the spring boot application ? Is it just a plain file read or is there any preferred way to read the file ? Any suggestions or the ways you have implemented will be appreciated.

Any links or industry standards will be appreciated.

Answer 1

Best Practices

• Assign an IAM role to your EKS pod to grant access to AWS Secrets Manager. This avoids hardcoding AWS credentials in your application.

• Use AWS Secrets Manager's automatic rotation feature to ensure credentials are regularly updated.

• If your application is already running on Kubernetes, the CSI Driver approach is more Kubernetes-native and integrates well with the ecosystem.

• Ensure secrets are encrypted at rest and in transit.Use Kubernetes RBAC to restrict access to secrets.

• Use AWS CloudTrail and Kubernetes audit logs to monitor access to secrets.

Answer 2

Best practice is to load the secrets on application startup (or some periodic refresh) from AWS Secrets Manager.

If you know the secret names beforehand, you can hardcode them in the Spring Boot application. If you're letting Secrets Manager generate the secret name automatically, you'll need to pass in the secret name as an environment variable to your Spring Boot application. This can be easily achieved if you're using IaC.

Here is a good tutorial on setting up the secrets access layer in Spring Boot using AWS Secrets Manager https://www.baeldung.com/spring-boot-integrate-aws-secrets-manager

Please note that your EKS cluster IAM role needs permission to retrieve the secrets. More information on that can be found here https://docs.aws.amazon.com/mediaconnect/latest/ug/iam-policy-examples-asm-secrets.html