Connecting to AWS RDS from java without exposing password

Question

I was successfully able to connect to RDS like any other database connection. I use spring jpa data ( repository ) to do CRUD operation on postgres db. currently I provide the db url and the credential in the properties file

spring:
  datasource:
    url: jdbc:postgresql://<rds-endpoint>:5432/<dbschema>
    username: <dbuser>
    password: <dbpassword>

However this is not an option while connecting to production or preproduction. what is the best practise here. Does AWS provide any inbuild mechanism to read these details from an endpoint like in the case of accessing S3 ?

My intention is not expose the password.

Answer 1

Several options are available to you:

1. Use the recently announced IAM access to Postgres RDS
2. Use Systems Manager Parameter Store to store the password
3. Use Secrets Manager to store the password and automatically rotate credentials

For 2 and 3, look up the password on application start in Spring using a PropertyPlaceholderConfiguration and the AWSSimpleSystemsManagement client (GetParameter request). SystemsManager can proxy requests to SecretsManager to keep a single interface in your code to access parameters.

IAM credentials is more secure in that:

1. If using EC2 instance profiles, access to the database uses short lived temporary credentials.
2. If not on EC2 you can generate short lived authentication tokens.
3. The password is not stored in your configuration.
4. If you have a separate database team they can manage access independent of the application user.
5. Removing access can be done via IAM