I'm developing a new Spring Boot application that will interact with an AWS-Postgres database. The serverless DB is hosted in a different AWS account and its secrets are stored in Secretmanager.
How can I effectively fetch the DB credentials from a cross-account secret manager?
In a POC, I did this by constructing a secret manager client using STSAssumeRoleSessionCredentials like this
AWSSecretsManager awsSecretsManager = AWSSecretsManagerClientBuilder.standard()
.withCredentials(credentialsProvider). // AssumeRole ( cross account session token)
.withRegion("us-west-2")
.build();
I executed the following steps to solve the use-case but I don't think it is a clean solution.
- Fetched credentials
- Populate env variables using the above db credentials
- Let spring-boot/jpa to setup db connection
I think it could be solved using the spring-cloud-starter-aws-secrets-manager-config but didn't find any example/reference on how to configure it so that it can fetch credentials from SecretManager that is in a different AWS account.
How might the above work, or any better solutions available?
You are right, it can be further simplified on code side.
Let's say accountA has secrets and accountB is your app account. Current implementation does the following:
What could be done:
Now, you are able to access the secrets using the same IAM User/Role that is used for the app and theoretically
spring-cloud-starter-aws-secrets-manager-configshould fetch the secrets from accountA as well (I have not tested it for myself).The least benefit you will get is not creating assumedRole client for different account. More details on AWS Blog