Search code examples
amazon-web-servicesspring-bootspring-cloudspring-cloud-configaws-secrets-manager

spring boot + load secret manager secrets from different AWS account

I'm developing a new Spring Boot application that will interact with an AWS-Postgres database. The serverless DB is hosted in a different AWS account and its secrets are stored in Secretmanager.

How can I effectively fetch the DB credentials from a cross-account secret manager?

In a POC, I did this by constructing a secret manager client using STSAssumeRoleSessionCredentials like this

AWSSecretsManager awsSecretsManager = AWSSecretsManagerClientBuilder.standard()
                .withCredentials(credentialsProvider). // AssumeRole ( cross account session token)
                .withRegion("us-west-2")
                .build();

I executed the following steps to solve the use-case but I don't think it is a clean solution.

  1. Fetched credentials
  2. Populate env variables using the above db credentials
  3. Let spring-boot/jpa to setup db connection

I think it could be solved using the spring-cloud-starter-aws-secrets-manager-config but didn't find any example/reference on how to configure it so that it can fetch credentials from SecretManager that is in a different AWS account.

How might the above work, or any better solutions available?

Solution

  • You are right, it can be further simplified on code side.

    Let's say accountA has secrets and accountB is your app account. Current implementation does the following:

    • A client is created inside the accountB using accountA credentials (AssumeRole is followed and is a best practice)
    • Secrets are fetched and then used.

    What could be done:

    • Use resource based policy in accountA that let's the IAM User and/or IAM Role in accountB have access to the secrets placed in accountA.
    • Update the KMS key policy in accountA for the key that is used to encrypt/decrypt secrets. Let the same IAM User and/or Role have access to that KMS key. So that they can use it.
    • Update the IAM Policy for the IAM User and/or Role in accountB, explicitly allowing it to use the secrets and KMS keys of accountA.

    Now, you are able to access the secrets using the same IAM User/Role that is used for the app and theoretically spring-cloud-starter-aws-secrets-manager-config should fetch the secrets from accountA as well (I have not tested it for myself).

    The least benefit you will get is not creating assumedRole client for different account. More details on AWS Blog