Using secrets from Param Store
In this guide, we will learn how to use secrets from AWS KMS in a Spring Boot application.
setup your build.gradle.kt with parameter-store lib
or kms-lib
Setup springboot bootstrap.yml
Into the bootstrap file, setup the kms config:
spring:
application:
name: ms-your-application-name
aws:
kms:
region: eu-west-1
enabled: true
Create several properties files enable the kms in the application-dev.yml, application-pre.yml, and application-pro.yml files.
application-dev.yml
aws:
kms:
enabled: false
application-pre.yml
aws:
kms:
enabled: true
application-pro.yml
aws:
kms:
enabled: true
AWS Console Parameter Store
Go to the AWS Console and KMS to create a new master key for encrypting and decrypting:
Encrypt the secret value
Use the KMS command
to encrypt the value you want to use as password or secret in your application.
For instance, the database password, the API key, or any other secret you want to use in your application.
You can use a random key generator online service to generate the value.
Apply the command to encrypt the value:
aws kms encrypt \
--key-id <ARN_of_my_KMS_master_key> \
--plaintext "my-secret-token-before-encrypt" \
--output text \
--query CiphertextBlob
Decrypt the secret value on springboot
It occurs automatically when you use the value in your application.yml file in boostrapping time.
In your application.yml, use the {cipher} token to mark the secret to decrypt the value automatically when springboot starts up. The decrypt value is used in the application in runtime as password to connect to the database for instance.
password: "{cipher}AQIC..."
Decrypt the secret value on local
aws kms decrypt \
--ciphertext-blob 'AQICAHjmSj9FB9J0...' \
--key-id alias/my-kms-key \
--output text \
--query Plaintext | base64 -d