Spring Boot & AWS RDS Part 3- Secrets-Manager

The Previous article was about using AWS RDS with Spring Boot & RDS read replicas with Spring Boot. This post is continuation of same topic. In this post i will show you how to access RDS credentials from AWS Secrets Manager.

Managing the application secrets like database credentials, API keys is always a very critical aspect of application security. Now days almost all the enterprise applications have strict constraints on not allowing storing any secrets in plain text. Secrets are also needed to be rotated in certain time intervals.

AWS Secrets Manager helps us to easily manage and rotate credentials from a central place. Secrets Manager enables us to easily rotate, manage, and retrieve database credentials, API keys, and other secrets throughout their lifecycle. Users and applications retrieve secrets with a call to Secrets Manager APIs, eliminating the need to hard code sensitive information in plain text. Secrets Manager has the built-in integration with AWS Services like RDS, Redshift and DocumentDB.

The code for this post is available on Github here

Creating Secrets for RDS Instance

On AWS Console go to AWS Secrets Manager->Secrets->Store a new secret and then select Credentials for Amazon RDS database. And create secret as shown.

Retrieving secrets from secrets-manager

Now let’s update our Spring Boot app to retrieve the secrets from secrets-manager. Fortunately Spring & AWS team has created very nice and easy to use aws-secretsmanager-jdbc library for this.

<dependency>
    <groupId>org.springframework.cloud</groupId>
    <artifactId>spring-cloud-aws-jdbc</artifactId>
    <version>2.2.6.RELEASE</version>
</dependency>

Updating Data source configurations

Now we have to update data source configurations in application.properties so that the application can pick up the database credentials.

configuration without secret manager

spring.datasource.url=jdbc:postgresql://<database-endpoint-url>:<port>/<database> 
spring.datasource.username=admin1
spring.datasource.password=Admin123

configuration with secret manager

spring.datasource.url=jdbc-secretsmanager:postgresql://<database-endpoint-url>:<port>/<database> 
spring.datasource.username=dev/test-rds-secret-1
spring.datasource.driver-class-name=com.amazonaws.secretsmanager.sql.AWSSecretsManagerPostgreSQLDriver

Observe thatJDBC URL prefix changed to jdbc-secretmanager.
secret name is used username.
The driver class is from spring-cloud-aws-jdbc.

Other driver classes

com.amazonaws.secretsmanager.sql.AWSSecretsManagerMySQLDriver
com.amazonaws.secretsmanager.sql.AWSSecretsManagerOracleDriver
com.amazonaws.secretsmanager.sql.AWSSecretsManagerMSSQLServerDriver

Now if you Run the application, Application should connect to database.

Note
For running the application locally, AWS Profile should have been configured correctly & user should access to read secrets from secretsmanager.

config credentials

[default]
aws_access_key_id = XXXXX
aws_secret_access_key = XXXXX

How the magic happens?

Magic fo connecting to the database is done by the the JDBC driver class provided by the aws-secretsmanager-jdbc. When the application request the connection the wrapper class AWSSecretsManagerPostgreSQLDriver makes and API call to Secrets Manager to retrieve the credentials.

Whats happens when secrets are Rotated?

The aws-secretsmanager-jdbc library does not calls AWS Secrets Manager API every time when connection is requested.
As accessing Secrets Manager API is expensive hence it uses cache. The cache policy is Least Recently Used (LRU), so when the cache must discard a secret, it discards the least recently used secret. By default, the cache refreshes secrets every hour.

When the cached has not expired but the Secrets in AWS Secrets Manager is rotated or changed,
Driver uses fallback mechanism. If the database returns an error for the wrong username/password, Driver class makes an fresh API to AWS Secrets Manager to get the new credentials.

The code for this post is available on Github here