Hi
I just recently discovered the AppConfig feature of AWS, and it looks super cool and very useful.
Our company sticks with Java and Spring Boot, so what I noticed there is already ongoing integration with the awspring.io library:
Ticket: https://github.com/awspring/spring-cloud-aws/issues/465
Branch: https://github.com/awspring/spring-cloud-aws/tree/appconfig
However, I have some security concerns and would love to ask to implement a new feature to integrate Secret Manager or ParamStore with AppConfig so we could reference config secret parameter from Secret Manager or SSM
Here is what I mean by config example:
This is an example of how it works now:
spring:
config:
activate:
on-profile: aws-qa-env
r2dbc:
username: "<your_user>"
password: "<your_pass>"
schema-name: "<schema_name>"
url: r2dbc:mysql://<host>:<port>/${spring.r2dbc.schema-name}
This means that secrets must be specified in the config.
However, I'm asking to extend Appconfig functionality and allow to reference to Secret Manager or SSM like this:
spring:
config:
activate:
on-profile: aws-qa-env
r2dbc:
username: @{SSM:/my/path/to/db/username}
password: @{SSM:/my/path/to/db/pass}
schema-name: "<schema_name>"
url: r2dbc:mysql://@{SSM:/my/path/to/db/host}:@{SSM:/my/path/to/db/port}/${spring.r2dbc.schema-name}
if AppConfig allows referencing to the secret manager, it would allow to implement automated secrets rotation and keep secrets separately from the general config.
The reference keyholder as I mentioned in the example@{SSM:}
could be anything that AWS dev team think might be a good fit for it, I just used it as an example