Managing Secrets in Spring Boot: A Guide to Secret Manager Integration

Engineering Core

ISB Vietnam's skilled software engineers deliver high-quality applications, leveraging their extensive experience in developing financial tools, business management systems, medical technology, and mobile/web platforms.

Have you ever accidentally committed an application.properties file containing a database password, API key, or other sensitive information to Git? This is one of the most common and dangerous security risks developers face.

"Hardcoding" (writing these sensitive values directly) in your code or configuration files is a bad practice. Fortunately, Spring Boot provides an excellent mechanism to integrate with Secret Manager systems, helping you store and retrieve this information securely.

What is a Secret Manager?

A Secret Manager is a specialized service (usually provided by cloud platforms) designed to store, manage, and control access to sensitive information like passwords, API keys, certificates, and other secrets used by applications. Instead of hardcoding these values in your code or configuration files, Secret Manager allows you to keep them in a secure, centralized place.

We will start with AWS Secret Manager to store the username and password for the database.

Step 1: Create a Secret on AWS

The best way to store multiple related values (like a database username and password) is to use the JSON format.

Access the AWS Management Console > Secrets Manager.
Click on "Store a new secret".
In the "Key/value pairs" section, enter your values as JSON. This is a very effective method.
Example: to store database information, you can configure it as follows:

JSON

{
"spring_datasource_username": "db_admin_user",
"spring_datasource_password": "MyS3cur3Password_From_AWS!"
}

Give the secret a name (e.g., production/database/credentials).
Tip: Use a hierarchical prefix (like production/ or my-app/) for easy management and permissions.

Click Next > Next and finally "Store".

Step 2: Configure Permissions (IAM)

Your Spring Boot application needs permission to read this secret.

On Production (EC2, ECS, EKS): You should create an IAM Role (e.g., MyWebAppRole), assign this Role to your service (e.g., assign it to the EC2 instance). Then, create a Policy to grant permissions to that Role.

JSON

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "secretsmanager:GetSecretValue",
"Resource": "arn:aws:secretsmanager:<region>:<account-id>:secret:<secret-name-prefix>*"
}
]
}

Step 3: Update pom.xml (Spring Boot 3.x)

Add the Spring Cloud AWS BOM (Bill of Materials) to <dependencyManagement>:

XML

<dependency>
<groupId>io.awspring.cloud</groupId>
<artifactId>spring-cloud-aws-starter-secrets-manager</artifactId>
</dependency>

Step 4: Configure Spring Boot to "Import" Secrets

Properties

spring.config.import=aws-secretsmanager:demo?prefix=db
spring.datasource.writer.url=jdbc:${db.engine}://${db.host}:${db.port}/${db.dbname}
spring.datasource.writer.username=${db.username}
spring.datasource.writer.password=${db.password}
spring.datasource.writer.driver-class-name=com.mysql.cj.jdbc.Driver

Conclusion

You have successfully configured your Spring Boot application to dynamically read secrets from AWS Secrets Manager. This method is not only more secure but also much more flexible. When you need to rotate a password, you just need to update the value in AWS Secrets Manager; your application will automatically pick up the new value on its next startup without needing to rebuild or redeploy the code.

Whether you need scalable software solutions, expert IT outsourcing, or a long-term development partner, ISB Vietnam is here to deliver. Let’s build something great together—reach out to us today. Or click here to explore more ISB Vietnam's case studies.

[References]

Written by

Engineering Core