In modern cloud-native applications, managing secrets such as API keys, database credentials, and configuration properties securely is critical. Hardcoding secrets or storing them in plain text config files is risky and violates best practices for security and compliance.
This post explores how to securely manage secrets in Spring Boot applications using HashiCorp Vault and AWS Secrets Manager, two of the most popular secret management solutions in the industry. You’ll learn how to integrate these tools with Spring Boot, automate secret access, and follow industry best practices.
Why External Secret Management?
Storing secrets outside of your application codebase provides several benefits:
- Centralized and secure management
- Rotation of credentials without redeployment
- Fine-grained access control
- Audit logging and compliance
- Avoidance of accidental leaks via version control
Option 1: Integrating HashiCorp Vault with Spring Boot
HashiCorp Vault is an open-source tool for securely accessing secrets using a unified API and dynamic access control.
Step 1: Add Maven Dependencies
xmlCopyEdit<dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-starter-vault-config</artifactId>
</dependency>
Also, configure the correct Spring Cloud version compatible with your Spring Boot version.
Step 2: Vault Configuration
yamlCopyEditspring:
cloud:
vault:
uri: http://localhost:8200
authentication: token
token: <your-vault-token>
kv:
enabled: true
backend: secret
default-context: application
Step 3: Store and Access Secrets
In Vault:
pgsqlCopyEditvault kv put secret/application db.username=admin db.password=secret123
In your Spring Boot app:
yamlCopyEditspring:
datasource:
username: ${db.username}
password: ${db.password}
Vault provides advanced features such as dynamic secrets, TTL (time-to-live), and leasing.
📚 Learn more: HashiCorp Vault Documentation
Option 2: Using AWS Secrets Manager
AWS Secrets Manager is a cloud-native service that helps you manage and retrieve secrets programmatically and securely.
Step 1: Add Dependencies
xmlCopyEdit<dependency>
<groupId>software.amazon.awssdk</groupId>
<artifactId>secretsmanager</artifactId>
</dependency>
Optionally, you can use Spring Cloud AWS for more abstraction:
xmlCopyEdit<dependency>
<groupId>io.awspring.cloud</groupId>
<artifactId>spring-cloud-starter-aws-secrets-manager-config</artifactId>
</dependency>
Step 2: Store Secrets in AWS Secrets Manager
Create a new secret in AWS Console with JSON format:
jsonCopyEdit{
"db.username": "admin",
"db.password": "secret123"
}
Name: spring-boot-secrets
Step 3: Spring Boot Configuration
yamlCopyEditspring:
config:
import: aws-secretsmanager:/spring-boot-secrets
Step 4: Access Secrets
yamlCopyEditspring:
datasource:
username: ${db.username}
password: ${db.password}
📚 Learn more: AWS Secrets Manager Documentation
Comparison: Vault vs AWS Secrets Manager
Feature | Vault | AWS Secrets Manager |
---|---|---|
Deployment | Self-hosted / managed (HCP) | Fully managed by AWS |
Dynamic Secrets | Yes (PostgreSQL, MySQL, etc.) | Limited (RDS only) |
Cloud-Native Integration | Generic | Deep AWS integration |
Access Control | Policy-based | IAM-based |
Rotation Support | Advanced | Built-in with Lambda support |
Cost | Free/self-hosted | Pay-per-use |
Best Practices
- Never hardcode secrets in source code
- Use different secrets per environment
- Enable automatic rotation and TTL
- Grant least privilege access using IAM or Vault policies
- Audit access logs for security and compliance
- Use placeholders and environment-aware secret context paths
Conclusion
Managing secrets securely is a foundational aspect of building safe and reliable Spring Boot applications. Whether you choose HashiCorp Vault for its open-source flexibility and dynamic secret capabilities or AWS Secrets Manager for deep cloud integration, both provide robust solutions for externalizing configuration and securing sensitive information.
Integrating secret management early in your architecture ensures your applications remain secure, compliant, and scalable as they evolve.
0 Comments