Managing secrets like database credentials, API keys, and passwords securely is a critical aspect of application development. Hardcoding secrets or storing them in plaintext configuration files is risky. Fortunately, with Spring Cloud AWS and AWS Secrets Manager, you can easily and securely load secrets into your Spring Boot application.
In this post, we’ll explore how to use the spring-cloud-starter-aws-secrets-manager-config dependency to integrate AWS Secrets Manager with Spring Boot. By the end, your application will be able to automatically load secrets at startup without writing extra boilerplate code.
What Is AWS Secrets Manager?
AWS Secrets Manager is a fully managed service that helps you protect access to your applications and services by storing secrets centrally. It allows automatic rotation, access control via IAM, and audit logging with AWS CloudTrail.
What Is spring-cloud-starter-aws-secrets-manager-config?
This is a Spring Cloud starter that integrates AWS Secrets Manager with the Spring Cloud Config system. It enables you to externalize your configuration and load secrets directly into your environment using Spring’s property resolution mechanism (@Value, Environment, etc.).
1. Add Dependency
Add the following Maven dependency to your Spring Boot project:
<dependency> <groupId>io.awspring.cloud</groupId> <artifactId>spring-cloud-starter-aws-secrets-manager-config</artifactId> <version>3.0.1</version> <!-- Use latest --> </dependency>
Note: Spring Cloud AWS v3+ is compatible with Spring Boot 3+ and uses
aws-java-sdk-v2
For Gradle:
implementation(“io.awspring.cloud:spring-cloud-starter-aws-secrets-manager-config:3.0.1”)
2. Configure AWS Credentials
You can provide AWS credentials in any standard supported method:
- Environment variables (AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY)
- IAM Role (recommended on EC2, ECS, or Lambda)
- ~/.aws/credentials profile
- System properties
- STS AssumeRole
3. Setup application.yml
spring:
config:
import: aws-secretsmanager:/ # important: tells Spring to import secrets
cloud:
aws:
region:
static: us-east-1
credentials:
profile-name: default
Note: The spring.config.import=aws-secretsmanager:/ line is critical — it tells Spring to import secrets from Secrets Manager as property sources.
4. Create a Secret in AWS
Go to the AWS Console → Secrets Manager → Store a new secret.
- Choose Other type of secrets
- Enter key-value pairs like:
{
"spring.datasource.url": "jdbc:mysql://db.example.com:3306/mydb",
"spring.datasource.username": "admin",
"spring.datasource.password": "S3cureP@ss!"
}
5. Access Secrets in Code
With your secret configured, Spring will automatically bind the properties.
You can now use them like any normal property:
Java
@Value("${spring.datasource.username}")
private String dbUser;
Or in application.yml:
datasource:
url: ${spring.datasource.url}
username: ${spring.datasource.username}
password: ${spring.datasource.password}
Need Help With Cloud Development?
Work with our skilled Cloud developers to accelerate your project and boost its performance.
Hire Cloud Developers
