Separation of configuration and code is one of the best practices that every application should incorporate to guarantee the security of secrets and credentials.
In this post, we are going to build a Spring Boot application with AWS Systems Manager Parameter Store.
· Prerequisites
· Overview
∘ What is Parameter Store?
∘ Why use AWS Parameter Store?
∘ Working with Parameter Store
· Spring Boot App Setup
∘ Application Properties
∘ IAM Permissions
· Test the application
· Conclusion
· References
Prerequisites
This is the list of all the prerequisites:
- Java 17
- Starter Boot 3.0.6
- Maven 3.6.3
- An active AWS account.
- Optionally, LocalStack to run Systems Manager (SSM) locally
Overview
What is Parameter Store?
AWS Systems Manager Parameter Store provides secure storage and management of secrets. It allows storing of data such as passwords, database strings, Amazon Elastic Compute Cloud (Amazon EC2) instance IDs and Amazon Machine Image (AMI) IDs, and license codes as parameter values. It can store values as plain text or encrypted data.
Why use AWS Parameter Store?
- Easy to use
- A secure, scalable, hosted secrets management service with no servers to manage.
- Separation of data from source code.
- It is integrated with Secrets Manager. You can retrieve Secrets Manager secrets when using other AWS services that already support references to Parameter Store parameters.
- Control and audit access at granular levels.
- It is hosted in multiple Availability Zones in an AWS Region.
Working with Parameter Store
In this story we will be using the AWS Console, you can use LocalStack as an alternative.
- Log in to the AWS Management Console and open the AWS Systems Manager.
- In AWS Systems Manager select Parameter Store
3. If some parameters have already been created, the list of these parameters will be displayed.
4. If Not, then we’ll be asked to “Create Parameter”
List of parameters created. In this story, we will add four parameters.
Note: db.password in the production environment contains a sensitive SecureString value that is encrypted using the KMS keys of the AWS current account.
Spring Boot App Setup
We will start by creating a simple Spring Boot project from start.spring.io, with the following dependencies: starter-web, Lombok, and actuator.
We use the Spring Cloud AWS Bill of Materials (BOM) by adding in the pom.xml file:
<dependencyManagement>
<dependencies>
<dependency>
<groupId>io.awspring.cloud</groupId>
<artifactId>spring-cloud-aws-dependencies</artifactId>
<version>3.0.1</version>
<type>pom</type>
<scope>import</scope>
</dependency>
</dependencies>
</dependencyManagement>We’ll be using version 3.0.1 of spring-cloud-aws-dependencies. You can find all available versions on Maven Central Repository.
After that, we need to add the dependency related to the AWS Parameter Store.
<dependency>
<groupId>io.awspring.cloud</groupId>
<artifactId>spring-cloud-aws-starter-parameter-store</artifactId>
</dependency>Application Properties
The second important step is to add the AWS parameter store configuration in the properties file application.yaml:
spring:
profiles:
active: dev
application:
name: my-demo-boot
# AWS parameter store configuration
cloud:
aws:
credentials:
access-key: <your-access-key>
secret-key: <your-secret-key>
profile:
name: default
region:
static: us-east-2
config:
import:
- aws-parameterstore:/config/application_${spring.profiles.active}/
# actuator configuration
management:
endpoints:
enabled-by-default: false
web:
exposure:
include: 'health, env'
endpoint:
health:
enabled: true
show-details: always
env:
enabled: trueFirst, we added the AWS credentials that should be used to communicate with our AWS account. There are several ways to configure the DefaultCredentialsProvider.
spring.config.import property is used to fetch parameters from AWS Parameter Store and add them to Spring’s environment properties. In our case, we concatenated the import value with the active profile. Since version 3.0.0, the Spring Cloud AWS team has removed support for loading properties from Parameter Store using Spring Cloud Bootstrap.
Now let’s create an example controller that will expose our parameters from a REST API call.
record DatabaseCredential(String activeProfile, String username, String password){}
@RestController
@RequestMapping("/api")
public class ParameterStoreController {
@Value("${spring.profiles.active}")
private String activeProfile;
@Value("${db.username}")
private String username;
@Value("${db.password}")
private String password;
@GetMapping(value = "/parameters")
public ResponseEntity<DatabaseCredential> getParams() {
return ResponseEntity.ok(new DatabaseCredential(activeProfile, username, password));
}
}IAM Permissions
For access, IAM permissions can be set up. The required Spring Cloud AWS permission is: ssm:GetParameters
Sample IAM policy granting access to Parameter Store:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "ssm:GetParametersByPath",
"Resource": "*"
}
]
}Test the application
Now we can run our application and test it.
- With the active Dev profile
- With the active Prod profile
Conclusion
Well done !!. In this story, We have seen how to integrate AWS Systems Manager Parameter Store with a Spring Boot application.
The complete source code is available on GitHub.
Thanks for reading!
References
- https://docs.awspring.io/spring-cloud-aws/docs/current/reference/html/index.html
- https://github.com/awspring/spring-cloud-aws/blob/42da25f66db097e6e6176c2c698aa85dec69aeec/docs/src/main/asciidoc/migration.adoc#L16
- https://github.com/awspring/spring-cloud-aws
- https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-parameter-store.html
