AWS Secrets Manager

When using AWS Secrets Manager as a backend, you can share configuration with all applications by placing configuration in /application/ or by placing it in the default profile for the application. For example, if you add secrets with the following keys, all application using the config server will have the properties shared.foo and shared.bar available to them:

secret name = /secret/application-default/
secret value =
{
 shared.foo: foo,
 shared.bar: bar
}

or

secret name = /secret/application/
secret value =
{
 shared.foo: foo,
 shared.bar: bar
}

Labelled Versions

AWS Secrets Manager repository allows to keep labelled versions of the configuration environments the same way Git backend does.

The repository implementation maps the {label} parameter of the HTTP resource to AWS Secrets Manager secret’s staging label. To create a labelled secret, create a secret or update its content and define a staging label for it (sometimes it’s called version stage in the AWS documentation). For example:

$ aws secretsmanager create-secret \
      --name /secret/test/ \
      --secret-string '{"version":"1"}'
{
    "ARN": "arn:aws:secretsmanager:us-east-1:123456789012:secret:/secret/test/-a1b2c3",
    "Name": "/secret/test/",
    "VersionId": "cd291674-de2f-41de-8f3b-37dbf4880d69"
}

$ aws secretsmanager update-secret-version-stage \
      --secret-id /secret/test/ \
      --version-stage 1.0.0 \
      --move-to-version-id cd291674-de2f-41de-8f3b-37dbf4880d69

{
    "ARN": "arn:aws:secretsmanager:us-east-1:123456789012:secret:/secret/test/-a1b2c3",
    "Name": "/secret/test/",
}

Use spring.cloud.config.server.aws-secretsmanager.default-label property to set the default label. If the property is not defined, the backend uses AWSCURRENT as a staging label.

spring:
  profiles:
    active: aws-secretsmanager
  cloud:
    config:
      server:
        aws-secretsmanager:
          region: us-east-1
          default-label: 1.0.0

Note that if the default label is not set and a request does not define a label, the repository will use secrets as if labelled version support is disabled. Also, the default label will be used only if the labelled support is enabled. Otherwise, defining this property is pointless.

Note that if the staging label contains a slash (/), then the label in the HTTP URL should instead be specified with the special string ({special-string}) (to avoid ambiguity with other URL paths) the same way Git backend’s section describes it.

Use spring.cloud.config.server.aws-secretsmanager.ignore-label property to ignore the {label} parameter of the HTTP resource as well as spring.cloud.config.server.aws-secretsmanager.default-label property. The repository will use secrets as if labelled version support is disabled.

spring:
  profiles:
    active: aws-secretsmanager
  cloud:
    config:
      server:
        aws-secretsmanager:
          region: us-east-1
          ignore-label: true