In cloud-native applications, storing sensitive information like API keys, database passwords, and access tokens in application.properties or application.yml is a security risk. To solve this, Spring Boot supports externalized configuration with Vault and AWS Secrets Manager.
This tutorial will walk you through setting up and integrating Vault and AWS Secrets Manager with your Spring Boot application, using com.kscodes.springboot as the base package.
๐ Why Use Vault and AWS Secrets Manager?
Secrets managers help:
- Avoid hardcoding secrets
- Rotate credentials automatically
- Manage access control with IAM policies
- Provide centralized secret auditing
Both HashiCorp Vault and AWS Secrets Manager are industry-standard tools to store and retrieve secrets securely.
๐ Prerequisites
- Java 17 or above
- Spring Boot 3.x
- Spring Cloud Dependencies
- AWS Account (for AWS Secrets Manager)
- Vault installed locally or accessible remotely
๐ Step 1: Add Spring Cloud Dependencies
Update your pom.xml:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 |
<dependencyManagement> <dependencies> <dependency> <groupId>org.springframework.cloud</groupId> <artifactId>spring-cloud-dependencies</artifactId> <version>2023.0.0</version> <type>pom</type> <scope>import</scope> </dependency> </dependencies> </dependencyManagement> <dependencies> <!-- Spring Cloud Vault --> <dependency> <groupId>org.springframework.cloud</groupId> <artifactId>spring-cloud-starter-vault-config</artifactId> </dependency> <!-- Spring Cloud AWS Secrets Manager --> <dependency> <groupId>io.awspring.cloud</groupId> <artifactId>spring-cloud-starter-aws-secrets-manager-config</artifactId> </dependency> </dependencies> |
๐ Project Structure
|
1 2 3 4 5 6 7 8 9 10 11 12 |
src/ โโโ main/ โ โโโ java/ โ โ โโโ com.kscodes.springboot/ โ โ โโโ config/ โ โ โโโ controller/ โ โโโ resources/ โ โโโ bootstrap.yml โ โโโ application.yml |
๐ Step 2: Setup Spring Cloud Vault
โ Configuration in bootstrap.yml
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
spring: application: name: vault-demo cloud: vault: uri: http://localhost:8200 token: s.yourvaulttokenhere kv: enabled: true backend: secret default-context: application profile-separator: "-" |
โ Vault Command Example
|
1 2 3 4 |
vault kv put secret/application username=kscodes password=supersecret |
Now Spring Boot will map:
usernameโ${username}passwordโ${password}
๐ Step 3: Setup AWS Secrets Manager Integration
โ Configuration in bootstrap.yml
|
1 2 3 4 5 6 7 8 9 10 11 12 13 |
spring: config: import: aws-secretsmanager:/kscodes/app/ cloud: aws: credentials: access-key: YOUR_ACCESS_KEY secret-key: YOUR_SECRET_KEY region: static: us-east-1 |
In AWS Secrets Manager, create a secret with key:kscodes/app
Example JSON secret:
|
1 2 3 4 5 6 7 |
{ "db.username": "aws_user", "db.password": "aws_pass" } |
๐ง Step 4: Bind Secrets to Java Class
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 |
package com.kscodes.springboot.config; import org.springframework.boot.context.properties.ConfigurationProperties; import org.springframework.stereotype.Component; @Component @ConfigurationProperties(prefix = "db") public class DbCredentials { private String username; private String password; // Getters and setters public String getUsername() { return username; } public void setUsername(String username) { this.username = username; } public String getPassword() { return password; } public void setPassword(String password) { this.password = password; } } |
๐งช Step 5: Use Injected Secrets in Controller
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 |
package com.kscodes.springboot.controller; import com.kscodes.springboot.config.DbCredentials; import org.springframework.web.bind.annotation.GetMapping; import org.springframework.web.bind.annotation.RestController; @RestController public class SecretController { private final DbCredentials dbCredentials; public SecretController(DbCredentials dbCredentials) { this.dbCredentials = dbCredentials; } @GetMapping("/secrets") public String getSecrets() { return "User: " + dbCredentials.getUsername() + ", Password: " + dbCredentials.getPassword(); } } |
๐ Secret Rotation Support
Both Vault and AWS Secrets Manager support:
- Automatic secret rotation
- Minimal downtime secret retrieval
- Spring Cloud reloading via
@RefreshScopeor actuator/refresh
|
1 2 3 4 5 6 7 8 9 |
@RefreshScope @Component @ConfigurationProperties(prefix = "db") public class DbCredentials { ... } |
๐ Best Practices for Externalized Configuration with Vault and AWS Secrets Manager
- Use
bootstrap.ymlorapplication-bootstrap.ymlfor cloud-specific setup. - Never store credentials in
application.yml. - Enable
@RefreshScopefor dynamic reloads. - Set up IAM roles instead of hardcoding AWS credentials in production.
- Limit secret access by app or profile (
dev,prod, etc.)
โ Summary
- Vault and AWS Secrets Manager secure sensitive Spring Boot configuration.
- Spring Cloud makes integration seamless via property binding.
- You can switch providers without changing your business logic.
- Externalized configuration improves security, auditability, and maintainability.
Youโve now implemented externalized configuration with Vault and AWS Secrets Manager in Spring Boot using @ConfigurationProperties.