0

I am working on getting a Spring Boot microservice working in AWS using ECS. We want the service to retrieve the database username and password values from Secrets Manager or Parameter Store. We are using all AWS services (CodeCommit, CodeBuild, CodeDeploy, etc)

What is the best way to read these values from Parameter Store and get them into the application.properties of our microservice?

I have tried following this guide on retrieving secrets. I am able to read the secrets but only as System Properties and I cannot determine how to get them into the application.properties file.

Here is the taskdef.json

{
    "executionRoleArn": "arn:aws:iam::ACCOUNT_ID:role/profile-service",
    "containerDefinitions": [
        {
            "name": "profile-service",
            "image": "<IMAGE1_NAME>",
            "essential": true,
            "environment": [ 
                { 
                    "name": "SPRING_PROFILES_ACTIVE", 
                    "value": "dev" 
                }
            ], 
            "portMappings": [
                {
                    "protocol": "tcp",
                    "containerPort": 8080
                }
            ],
            "secrets": [
                {
                    "valueFrom": "arn:aws:secretsmanager:us-east-1:ACCOUNT_ID:secret:PROJECT/dev/rds-Y3B26E",
                    "name": "rdsmasterusername"
                }
            ],
   ....
}

Here is the main file of Spring I was using to test. It correctly prints the secrets I am just not sure the best way to get these into properties.

public static void main(String[] args) {
    String test1 = System.getenv("rdsmasterusername");
    System.out.println(test1);     // Correctly prints the RDS username

    SpringApplication.run(Startup.class, args);
  }

Note: Currently when I cam retrieving the secret it is giving me some sort of object that has both the username and password. I am not sure how to parse between those in java.

Thank you for any help!

Lucas A
  • 45
  • 6
  • You shouldn't be getting JSON back if `/dev/rds-Y3B26E` is a String property. If it is a string, you should be able to just do `${rdsmasterusername}` in the application.properties file. – Mark B Oct 10 '19 at 23:29

1 Answers1

3

The last statement isn't clear. Does rdsmasterusername contain both the username or password or just the username? I'll guess that it contains both the username and password in a JSON string - based on your last note.

If you want to not deal with parsing the JSON string or creating new environment variables which would be inherited later, you could store the username and password in two different secrets, inject them in your taskdef file and then set them in your application.properties files as described in https://stackoverflow.com/a/35535138.

RobS
  • 69
  • 2