For the latest stable version, please use Spring Cloud Config 4.2.0! |
AWS Secrets Manager
When using AWS Secrets Manager as a backend, you can share configuration with all applications by placing configuration in /application/
or by placing it in the default
profile for the application.
For example, if you add secrets with the following keys, all application using the config server will have the properties shared.foo
and shared.bar
available to them:
secret name = /secret/application-default/
secret value =
{
shared.foo: foo,
shared.bar: bar
}
or
secret name = /secret/application/
secret value =
{
shared.foo: foo,
shared.bar: bar
}
Labelled Versions
AWS Secrets Manager repository allows to keep labelled versions of the configuration environments the same way Git backend does.
The repository implementation maps the {label}
parameter of the HTTP resource to AWS Secrets Manager secret’s staging label. To create a labelled secret, create a secret or update its content and define a staging label for it (sometimes it’s called version stage in the AWS documentation). For example:
$ aws secretsmanager create-secret \
--name /secret/test/ \
--secret-string '{"version":"1"}'
{
"ARN": "arn:aws:secretsmanager:us-east-1:123456789012:secret:/secret/test/-a1b2c3",
"Name": "/secret/test/",
"VersionId": "cd291674-de2f-41de-8f3b-37dbf4880d69"
}
$ aws secretsmanager update-secret-version-stage \
--secret-id /secret/test/ \
--version-stage 1.0.0 \
--move-to-version-id cd291674-de2f-41de-8f3b-37dbf4880d69
{
"ARN": "arn:aws:secretsmanager:us-east-1:123456789012:secret:/secret/test/-a1b2c3",
"Name": "/secret/test/",
}
Use spring.cloud.config.server.aws-secretsmanager.default-label
property to set the default label. If the property is not defined, the backend uses AWSCURRENT as a staging label.
spring:
profiles:
active: aws-secretsmanager
cloud:
config:
server:
aws-secretsmanager:
region: us-east-1
default-label: 1.0.0
Note that if the default label is not set and a request does not define a label, the repository will use secrets as if labelled version support is disabled. Also, the default label will be used only if the labelled support is enabled. Otherwise, defining this property is pointless.
Note that if the staging label contains a slash (/
), then the label in the HTTP URL should instead be specified with the special string ({special-string})
(to avoid ambiguity with other URL paths) the same way Git backend’s section describes it.
Use spring.cloud.config.server.aws-secretsmanager.ignore-label
property to ignore the {label}
parameter of the HTTP resource as well as spring.cloud.config.server.aws-secretsmanager.default-label
property. The repository will use secrets as if labelled version support is disabled.
spring:
profiles:
active: aws-secretsmanager
cloud:
config:
server:
aws-secretsmanager:
region: us-east-1
ignore-label: true