Securing sensitive information like database credentials is paramount in the modern software landscape. Exposing these secrets can lead to severe security breaches. AWS Secrets Manager provides a robust, automated solution for managing and securing secrets like database passwords. In this blog, we’ll explore how to integrate AWS Secrets Manager with a Spring Boot application for secure database configuration.

Why Choose AWS Secrets Manager for Spring Boot Database Integration?

AWS Secrets Manager offers a centralized, automated, and scalable way to manage secrets. Here’s why it stands out:

  • Automated Rotation: Regularly rotates database credentials without manual intervention, reducing human error.
  • Access Control: Integrates seamlessly with AWS Identity and Access Management (IAM) for fine-grained access control.
  • Encryption: Encrypts secrets at rest and in transit using AWS Key Management Service (KMS).
  • Audit Trails: Logs all access and changes in AWS CloudTrail for compliance and monitoring.

Setting Up AWS Secrets Manager for Database Credentials

Step 1: Create a Secret in AWS Secrets Manager

  1. Navigate to the AWS Secrets Manager console.
  2. Select Store a new secret and choose the Credentials for RDS database option.
  3. Enter your database username and password.
  4. Assign the secret a meaningful name, e.g., myapp/database/credentials.
  5. Configure secret rotation and associate it with an AWS Lambda function for password rotation (optional but recommended).

Step 2: Configure IAM Permissions

Create an IAM policy that allows your Spring Boot application to access the secret. Attach this policy to the IAM role associated with the application.

Integrating AWS Secrets Manager with Spring Boot Application

Adding Required Dependencies

Include the following dependencies in your pom.xml for Maven:

<dependency>

    <groupId>com.amazonaws</groupId>

    <artifactId>aws-java-sdk-secretsmanager</artifactId>

    <version>1.12.635</version>

</dependency>

<dependency>

    <groupId>org.springframework.boot</groupId>

    <artifactId>spring-boot-starter-data-jpa</artifactId>

</dependency>

<dependency>

    <groupId>org.springframework.boot</groupId>

    <artifactId>spring-boot-starter-web</artifactId>

</dependency>

For Gradle, use:

implementation ‘com.amazonaws:aws-java-sdk-secretsmanager:1.12.635’

implementation ‘org.springframework.boot:spring-boot-starter-data-jpa’

implementation ‘org.springframework.boot:spring-boot-starter-web’

Configuring Application Properties

Update your application.properties or application.yml file to point to the AWS Secrets Manager secret.

spring.datasource.url=jdbc:mysql://<database-endpoint>:3306/<database-name>

spring.datasource.driver-class-name=com.mysql.cj.jdbc.Driver

Define a placeholder for credentials that will be fetched at runtime.

Fetching Secrets Programmatically

Use the AWS SDK to retrieve the secrets:

import com.amazonaws.services.secretsmanager.AWSSecretsManager;

import com.amazonaws.services.secretsmanager.AWSSecretsManagerClientBuilder;

import com.amazonaws.services.secretsmanager.model.GetSecretValueRequest;

import com.amazonaws.services.secretsmanager.model.GetSecretValueResult;

import org.json.JSONObject;

public class SecretsManagerService {

    public static JSONObject getSecret(String secretName) {

        AWSSecretsManager client = AWSSecretsManagerClientBuilder.standard().build();

        GetSecretValueRequest request = new GetSecretValueRequest().withSecretId(secretName);

        GetSecretValueResult result = client.getSecretValue(request);

        return new JSONObject(result.getSecretString());

    }

}

This method dynamically injects the database username and password during application startup.

Ensuring Connectivity Between Spring Boot Application and AWS Secrets Manager

Ensure the application’s EC2 instance or container is configured with an IAM role with permission to access the secret. Test connectivity using the AWS CLI:

aws secretsmanager get-secret-value –secret-id myapp/database/credentials

Testing Database Connectivity and Password Rotation

  1. Run the Spring Boot application and verify the database connection is established successfully.
  2. Simulate a password rotation in AWS Secrets Manager.
  3. Confirm the application automatically picks up the new credentials without requiring a restart.

Conclusion: Enhancing Security and Availability with AWS Secrets Manager in Spring Boot

Integrating AWS Secrets Manager with Spring Boot ensures secure and scalable management of database credentials. Its features, such as automated rotation, encryption, and IAM integration, significantly enhance the security and availability of your application.

By adopting AWS Secrets Manager, you can focus on building robust applications while AWS handles the security intricacies.

References

Manage credentials using AWS Secrets Manager

Connect to a SQL database using JDBC with credentials in an AWS Secrets Manager secret