Modern applications rely heavily on configuration values—API keys, database credentials, JWT secrets, OAuth tokens, and more. But hardcoding these values or storing them in plain files is a serious security risk. That’s why Secure Configuration in Micronaut is a fundamental skill for developers building cloud-native or microservice-based applications.
In this post, we’ll explore secure techniques to manage secrets and environment variables in Micronaut, using the package com.kscodes.micronaut.security. We’ll cover .env, system environment variables, secure property sources, and secret managers like HashiCorp Vault and AWS Secrets Manager.
📦 Why Secure Configuration Matters
- Prevents credential leaks in code repositories.
- Isolates environment-specific values (dev, staging, production).
- Enables secrets rotation without code changes.
- Ensures compliance with security and auditing standards.
🔧 Default Config Hierarchy in Micronaut
Micronaut supports multiple configuration sources with the following priority:
- System Properties (
-Dproperty=value) - Environment Variables (
export ENV_VAR=value) - application.yml / application.properties
- External Config Files (
--config.location) - Custom PropertySource Loaders (e.g., Vault, AWS)
Micronaut will automatically merge and prioritize based on this order.
🔑 Using Environment Variables
Step 1: Define in Shell or .env (local dev)
|
1 2 3 4 5 |
export DB_PASSWORD=mysecretpassword export JWT_SECRET=myjwtsecret |
Step 2: Reference in application.yml
|
1 2 3 4 5 6 7 8 9 10 11 |
micronaut: security: token: jwt: signatures: secret: generator: secret: "${JWT_SECRET:default-secret}" |
${JWT_SECRET:default-secret} – Uses env var or falls back to default.
📁 External Configuration with .env (Dev Only)
Micronaut doesn’t load .env by default like Spring Boot, so use a plugin:
- Add
dotenvlibrary (Gradle):
|
1 2 3 4 |
implementation("io.github.cdimascio:java-dotenv:5.2.2") |
- Load
.envinmain():
|
1 2 3 4 5 |
Dotenv dotenv = Dotenv.configure().load(); System.setProperty("DB_PASSWORD", dotenv.get("DB_PASSWORD")); |
🔒 Using HashiCorp Vault with Micronaut
Step 1: Add Vault Dependency
|
1 2 3 4 |
implementation("io.micronaut.vault:micronaut-vault-client") |
Step 2: Vault Configuration (bootstrap.yml)
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 |
micronaut: application: name: vault-demo config-client: enabled: true vault: client: config: enabled: true uri: http://localhost:8200 token: my-root-token |
Step 3: Store Secret in Vault
|
1 2 3 4 |
vault kv put secret/jwt-config JWT_SECRET=myvaultsecret |
Micronaut will auto-map it using the config prefix.
☁️ Using AWS Secrets Manager (Alternative)
Step 1: Add Dependency
|
1 2 3 4 |
implementation("io.micronaut.aws:micronaut-aws-secretsmanager") |
Step 2: Configure AWS IAM Role or Access Keys
|
1 2 3 4 5 6 |
aws: secretsmanager: enabled: true |
Micronaut will fetch values based on secret name and inject into config.
👨💻 Example Usage in a Micronaut Class
File: com.kscodes.micronaut.security.SecureService.java
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 |
package com.kscodes.micronaut.security; import io.micronaut.context.annotation.Value; import jakarta.inject.Singleton; @Singleton public class SecureService { @Value("${DB_PASSWORD}") private String dbPassword; @Value("${JWT_SECRET}") private String jwtSecret; public String info() { return "Secrets loaded securely: DB=" + mask(dbPassword) + ", JWT=" + mask(jwtSecret); } private String mask(String val) { return "*".repeat(Math.max(0, val.length())); } } |
🛡️ Best Practices
- Never commit secrets to version control.
- Use
.gitignoreto ignore.envorbootstrap.ymlin local dev. - Rotate secrets periodically.
- Limit access to config files using file permissions.
- Use separate secrets for each environment.
🧪 Test Secure Configuration Locally
|
1 2 3 4 5 6 |
export DB_PASSWORD=devdbpass export JWT_SECRET=devjwtsecret ./gradlew run |
Make sure the app loads secrets via logs or endpoint inspection.
📚 External References
- Micronaut Configuration Reference
- Micronaut + Vault Guide
- 12 Factor App on Config
- AWS Secrets Manager Docs
✅ Conclusion
Secure Configuration in Micronaut is a critical pillar of secure application development. Whether you’re building small services or large cloud systems, managing secrets through environment variables, Vault, or AWS Secrets Manager helps protect sensitive data and makes your application more secure and maintainable.
This post used the com.kscodes.micronaut.security package for clean examples that you can extend across multiple modules or environments.