In modern cloud-native applications, managing secrets such as API keys, database credentials, and configuration properties securely is critical. Hardcoding secrets or storing them in plain text config files is risky and violates best practices for security and compliance.

This post explores how to securely manage secrets in Spring Boot applications using HashiCorp Vault and AWS Secrets Manager, two of the most popular secret management solutions in the industry. You’ll learn how to integrate these tools with Spring Boot, automate secret access, and follow industry best practices.


Why External Secret Management?

Storing secrets outside of your application codebase provides several benefits:

  • Centralized and secure management
  • Rotation of credentials without redeployment
  • Fine-grained access control
  • Audit logging and compliance
  • Avoidance of accidental leaks via version control

Option 1: Integrating HashiCorp Vault with Spring Boot

HashiCorp Vault is an open-source tool for securely accessing secrets using a unified API and dynamic access control.

Step 1: Add Maven Dependencies

xmlCopyEdit<dependency>
  <groupId>org.springframework.cloud</groupId>
  <artifactId>spring-cloud-starter-vault-config</artifactId>
</dependency>

Also, configure the correct Spring Cloud version compatible with your Spring Boot version.

Step 2: Vault Configuration

yamlCopyEditspring:
  cloud:
    vault:
      uri: http://localhost:8200
      authentication: token
      token: <your-vault-token>
      kv:
        enabled: true
        backend: secret
        default-context: application

Step 3: Store and Access Secrets

In Vault:

pgsqlCopyEditvault kv put secret/application db.username=admin db.password=secret123

In your Spring Boot app:

yamlCopyEditspring:
  datasource:
    username: ${db.username}
    password: ${db.password}

Vault provides advanced features such as dynamic secrets, TTL (time-to-live), and leasing.

📚 Learn more: HashiCorp Vault Documentation


Option 2: Using AWS Secrets Manager

AWS Secrets Manager is a cloud-native service that helps you manage and retrieve secrets programmatically and securely.

Step 1: Add Dependencies

xmlCopyEdit<dependency>
  <groupId>software.amazon.awssdk</groupId>
  <artifactId>secretsmanager</artifactId>
</dependency>

Optionally, you can use Spring Cloud AWS for more abstraction:

xmlCopyEdit<dependency>
  <groupId>io.awspring.cloud</groupId>
  <artifactId>spring-cloud-starter-aws-secrets-manager-config</artifactId>
</dependency>

Step 2: Store Secrets in AWS Secrets Manager

Create a new secret in AWS Console with JSON format:

jsonCopyEdit{
  "db.username": "admin",
  "db.password": "secret123"
}

Name: spring-boot-secrets

Step 3: Spring Boot Configuration

yamlCopyEditspring:
  config:
    import: aws-secretsmanager:/spring-boot-secrets

Step 4: Access Secrets

yamlCopyEditspring:
  datasource:
    username: ${db.username}
    password: ${db.password}

📚 Learn more: AWS Secrets Manager Documentation


Comparison: Vault vs AWS Secrets Manager

FeatureVaultAWS Secrets Manager
DeploymentSelf-hosted / managed (HCP)Fully managed by AWS
Dynamic SecretsYes (PostgreSQL, MySQL, etc.)Limited (RDS only)
Cloud-Native IntegrationGenericDeep AWS integration
Access ControlPolicy-basedIAM-based
Rotation SupportAdvancedBuilt-in with Lambda support
CostFree/self-hostedPay-per-use

Best Practices

  1. Never hardcode secrets in source code
  2. Use different secrets per environment
  3. Enable automatic rotation and TTL
  4. Grant least privilege access using IAM or Vault policies
  5. Audit access logs for security and compliance
  6. Use placeholders and environment-aware secret context paths

Conclusion

Managing secrets securely is a foundational aspect of building safe and reliable Spring Boot applications. Whether you choose HashiCorp Vault for its open-source flexibility and dynamic secret capabilities or AWS Secrets Manager for deep cloud integration, both provide robust solutions for externalizing configuration and securing sensitive information.

Integrating secret management early in your architecture ensures your applications remain secure, compliant, and scalable as they evolve.


<> “Happy developing, one line at a time!” </>

Please follow and like us:

0 Comments

Leave a Reply

Avatar placeholder

Your email address will not be published. Required fields are marked *