Externalized Configuration with Vault and AWS Secrets Manager in Spring Boot

In cloud-native applications, storing sensitive information like API keys, database passwords, and access tokens in application.properties or application.yml is a security risk. To solve this, Spring Boot supports externalized configuration with Vault and AWS Secrets Manager.

This tutorial will walk you through setting up and integrating Vault and AWS Secrets Manager with your Spring Boot application, using com.kscodes.springboot as the base package.

Externalized Configuration with Vault and AWS Secrets Manager in Spring Boot

๐Ÿ” Why Use Vault and AWS Secrets Manager?

Secrets managers help:

  • Avoid hardcoding secrets
  • Rotate credentials automatically
  • Manage access control with IAM policies
  • Provide centralized secret auditing

Both HashiCorp Vault and AWS Secrets Manager are industry-standard tools to store and retrieve secrets securely.

๐Ÿ›  Prerequisites

  • Java 17 or above
  • Spring Boot 3.x
  • Spring Cloud Dependencies
  • AWS Account (for AWS Secrets Manager)
  • Vault installed locally or accessible remotely

๐ŸŒ Step 1: Add Spring Cloud Dependencies

Update your pom.xml:



  
    
      org.springframework.cloud
      spring-cloud-dependencies
      2023.0.0
      pom
      import
    
  



  
  
    org.springframework.cloud
    spring-cloud-starter-vault-config
  

  
  
    io.awspring.cloud
    spring-cloud-starter-aws-secrets-manager-config

๐Ÿ— Project Structure


src/
โ”œโ”€โ”€ main/
โ”‚   โ”œโ”€โ”€ java/
โ”‚   โ”‚   โ””โ”€โ”€ com.kscodes.springboot/
โ”‚   โ”‚       โ”œโ”€โ”€ config/
โ”‚   โ”‚       โ””โ”€โ”€ controller/
โ”‚   โ””โ”€โ”€ resources/
โ”‚       โ”œโ”€โ”€ bootstrap.yml
โ”‚       โ””โ”€โ”€ application.yml

๐Ÿ” Step 2: Setup Spring Cloud Vault

โž• Configuration in bootstrap.yml


spring:
  application:
    name: vault-demo
  cloud:
    vault:
      uri: http://localhost:8200
      token: s.yourvaulttokenhere
      kv:
        enabled: true
        backend: secret
        default-context: application
        profile-separator: "-"

โž• Vault Command Example


vault kv put secret/application username=kscodes password=supersecret

Now Spring Boot will map:

  • username โ†’ ${username}
  • password โ†’ ${password}

๐Ÿ”‘ Step 3: Setup AWS Secrets Manager Integration

โž• Configuration in bootstrap.yml


spring:
  config:
    import: aws-secretsmanager:/kscodes/app/
  cloud:
    aws:
      credentials:
        access-key: YOUR_ACCESS_KEY
        secret-key: YOUR_SECRET_KEY
      region:
        static: us-east-1

In AWS Secrets Manager, create a secret with key:
kscodes/app

Example JSON secret:


{
  "db.username": "aws_user",
  "db.password": "aws_pass"
}

๐Ÿ”ง Step 4: Bind Secrets to Java Class


package com.kscodes.springboot.config;

import org.springframework.boot.context.properties.ConfigurationProperties;
import org.springframework.stereotype.Component;

@Component
@ConfigurationProperties(prefix = "db")
public class DbCredentials {

    private String username;
    private String password;

    // Getters and setters
    public String getUsername() {
        return username;
    }

    public void setUsername(String username) {
        this.username = username;
    }

    public String getPassword() {
        return password;
    }

    public void setPassword(String password) {
        this.password = password;
    }
}

๐Ÿงช Step 5: Use Injected Secrets in Controller


package com.kscodes.springboot.controller;

import com.kscodes.springboot.config.DbCredentials;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RestController;

@RestController
public class SecretController {

    private final DbCredentials dbCredentials;

    public SecretController(DbCredentials dbCredentials) {
        this.dbCredentials = dbCredentials;
    }

    @GetMapping("/secrets")
    public String getSecrets() {
        return "User: " + dbCredentials.getUsername() + ", Password: " + dbCredentials.getPassword();
    }
}

๐Ÿ” Secret Rotation Support

Both Vault and AWS Secrets Manager support:

  • Automatic secret rotation
  • Minimal downtime secret retrieval
  • Spring Cloud reloading via @RefreshScope or actuator /refresh

@RefreshScope
@Component
@ConfigurationProperties(prefix = "db")
public class DbCredentials {
  ...
}

๐Ÿ“Œ Best Practices for Externalized Configuration with Vault and AWS Secrets Manager

  1. Use bootstrap.yml or application-bootstrap.yml for cloud-specific setup.
  2. Never store credentials in application.yml.
  3. Enable @RefreshScope for dynamic reloads.
  4. Set up IAM roles instead of hardcoding AWS credentials in production.
  5. Limit secret access by app or profile (dev, prod, etc.)

โœ… Summary

  • Vault and AWS Secrets Manager secure sensitive Spring Boot configuration.
  • Spring Cloud makes integration seamless via property binding.
  • You can switch providers without changing your business logic.
  • Externalized configuration improves security, auditability, and maintainability.

Youโ€™ve now implemented externalized configuration with Vault and AWS Secrets Manager in Spring Boot using @ConfigurationProperties.