Database password rotation with AWS Secrets Manager and Spring Boot
HTML-код
- Опубликовано: 5 авг 2024
- Depending on how serious you are about security you may want to consider setting up password rotation for databases. If you're on AWS - they've got you covered! AWS Secrets Manager comes with support for automatic password rotation for RDS (and other database services).
In this video I am showing how to set up RDS instance, how to set up password rotation for it using AWS Secrets Manager and how to connect Spring Boot application using very handy library - AWS Secrets Manager JDBC: github.com/aws/aws-secretsman...
In my channel I discuss things I believe are relevant to either Java & Spring beginners, or advanced developers who want to stay up to date. Feedback is very much welcome!
and shhhh follow me on twitter / maciejwalkowiak 😎
--
Music:
raspberry soda by till / tillbeats
Music provided by Free Music for Vlogs • (Free Music for Vlogs)... Наука
The real question is: why did you stop making these videos? Last one in the channel (the current one) is 9 months old. The material is really good and to the point and really useful for learning about Spring and AWS. I specially liked the one about LocalStack and TestContainers.
In case you can point to all the documentation from with you have made this it will help. This effort too was quite helpful. Thank you for posting
This was what I was looking for.. really helped me... great explanation .. Subscribed!
Awesome! Thanks for feedback I'm very happy to have you here 🙂
Really great tutorial. Thank you for showing the alternative (aws-secretsmanager-jdbc library) to that Java code snippet.
Thank you so much for this awesowe video.
Thanks for the excellent video.
The real good one. Thanks
As usual great content.
Thank you!
Really like your video format!
I have to add it's not that the AWS maintains 2 passwords at once so that you can connect. What happened really is that the connection was already open when the password changed, therefore it continued to work. Until the program restart, of course.
Nice video...
golden tutorial
Thank you!
Welcome back
Thanks! If it pays my bills I could do it full time ;)
well explained
Thank you!
Nice video, i was struggling to write lambda. But now i came to know lambda is automatically written
Is something similar available for ruby to connect to postgres? So that the password can be pulled dynamically and secret rotation also talen care.
Do you have any solution without server reboot to adjust db properties instantly?
Maaaaaaan, you must come back! Why are you taking such a big break between your videos ???
I thought I finally found awesome content about Spring boot.
We need you. Please come back :)
Or if you have some paid courses, give us a link.
Thank you! From mid February if all goes well I'll have dedicated time for Spring Academy so stay tuned 🙂
After rotating secret in secret manager, do we not needed to update the new password in RDS?
great explanation Maciej ..One thing I would like to know is using aws-secretsmanager-jdbc library if the application is using old password and now if secrets rotation happens how application works without restarting it ? I mean how application establishes the connection with new password without restarting ?
I follow the instruction but I dont know why my DB's password is not encrypt and it's still show the plain text. For example your password is myscecret and after creating the key, it's still show myscecret. Can you give me the advise?
Do you need the client id and the client secret as environment variables in order for this to work?
When you run it on EC2 once you get IAM policies right it will work. On local you should ideally have AWS SDK configured.
Amy idea how to handle this same scenario in NodeJs?
i am using aurora postgresql and its not working. does the url change when i switch to the secrets manager (not the prefix, the host part or port part i mean)? also, my db is in a private subnet. i dont have to change any roles, policies, security groups right? thanks.
I haven't tried it with Aurora but I believe it should work
Guyz I am trying to integrate the secret Manager on on premise web server…. We have jboss eap which is connecting to cloud database now I want to mask the id and password using secret manager on the on prem server… have tried multiple method online but nothing seems to work ……does anyone have document for this will by much help
How it works with amazon documentdb?
Is there a way using this dependency to make the data source url dynamic, including the port number?
I am also looking how we can read host port from same secretsmanager..instead of hadcoding
Sir,
Please suggest me subjects to become full stack java developer and best Datastructure course.
Thanks in advance.
This approach works fine for spring data source using jdbc template but not working with spring boot jpa applications.Any idea??
Error:
ERROR o.s.boot.SpringApplication.reportFailure - Application run failed
org.springframework.beans.factory.UnsatisfiedDependencyException: Error creating bean with name 'entityManagerFactory' defined in class path resource [org/springframework/boot/autoconfigure/orm/jpa/HibernateJpaConfiguration.class]: Unsatisfied dependency expressed through method 'entityManagerFactory' parameter 0; nested exception is org.springframework.beans.factory.UnsatisfiedDependencyException: Error creating bean with name 'entityManagerFactoryBuilder' defined in class path resource [org/springframework/boot/autoconfigure/orm/jpa/HibernateJpaConfiguration.class]: Unsatisfied dependency expressed through method 'entityManagerFactoryBuilder' parameter 0; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'jpaVendorAdapter' defined in class path resource [org/springframework/boot/autoconfigure/orm/jpa/HibernateJpaConfiguration.class]: Bean instantiation via factory method failed; nested exception is org.springframework.beans.BeanInstantiationException: Failed to instantiate [org.springframework.orm.jpa.JpaVendorAdapter]: Factory method 'jpaVendorAdapter' threw exception; nested exception is java.lang.RuntimeException: Driver com.mysql.cj.jdbc.Driver claims to not accept jdbcUrl, jdbc-secretsmanager:mysql://hostname:3306/dbname
If you are using AWS Academy, you need to update the credentials located in ~/.aws/credentials to the latest one
Failed to initialize pool: Invalid name. Must be a valid name containing alphanumeric characters, or any of the following: -/_+=.@! ...
Any idea how can fix this?
Thanks for the video. One question, do we have any way to hide the real url of database such like username and password. Anyway thank you your video to get me an idea for this situation.
And use instance or cluster Id instead of passing URL? This is likely doable but not trivial
I might have missed something, but why did your local application have permission to access the secretmanager? kind of looks like everyone could get your passwords from the secret manager.
I have AWS CLI set up on my localhost so you would need to have access key and secret set up to access password manager. Anyway this is not the setup you should have for real world application - it's a shortcut I took similar to having public access to the database to focus in this video on things that matter the most.
Reason: Unable to find a region via the region provider chain. Must provide an explicit region in the builder or setup environment to supply a region.
getting this error. please advise.
I guess it happens when you run on localhost? Make sure to configure AWS CLI
Hello, Can you please share your example repo (spring-boot-secrets-manager-jdbc-demo) with us ? Thank you for gr8 session
Anyone help me instead of Spring boot i need to use node js any idea about this.
Thanks :)
With NodeJS you can always use just the AWS SDK for Javascript.
What about documentDB=
Hi, one more time. How we can rotate DB password using AWS SM, but at our local DB - not from the RDS list? For example, I would back to REDIS. We have Redis(we haven't Redis engine in AWS RDS), and we need to change a password for him every month(It's would be nice if you send some tutorials how we can change this value programicaly). This is my poc, but I really want to know how to provide the secret to DB , which we haven't in RDS variability(or have, but we don't want to use RDS). (mb, we need a specific configuration?)
And thx for your great work. Your channel is really helpful. Better on RUclips.
I didn't work with password rotation in redis. I think this may be useful for you aws.amazon.com/about-aws/whats-new/2019/10/amazon-elasticache-announces-support-for-modifying-redis-authentication-tokens/
@@SpringAcademy Thx for your fast response, no info about Redis pass rotation in net and that is soo sad. Because very often we need to save data storage in production using pass rotation. And if RDS engines have simple API - we cant talk in this way about NoSQL API's.
Can you please provide me this application code for testing, Please share github link for the same code?
Any one know how to do in python using fast api?
Hi Thanks for a wonderful tuitorial, I am getting an error on spring.datasource.driver-class-name=com.amazonaws.secretsmanager.sql.AWSSecretsManagerPostgreSQLDriver
Error is :
Failed to bind properties under '' to com.zaxxer.hikari.HikariDataSource:
Property: driver-class-name
Value: com.amazonaws.secretsmanager.sql.AWSSecretsManagerPostgreSQLDriver
Origin: "driverClassName" from property source "source"
Reason: Unable to find a region via the region provider chain. Must provide an explicit region in the builder or setup environment to supply a region.
Current Property file entries are :
spring.datasource.url=jdbc-secretsmanager:postgresql://database-2.cvsjlkvjytkt.us-east-2.rds.amazonaws.com/postgres
spring.datasource.driver-class-name=com.amazonaws.secretsmanager.sql.AWSSecretsManagerPostgreSQLDriver
spring.datasource.username=/secrets/my-app/db
Can you please help on this issue
Hey Arun! Are you getting this when running locally or on AWS environment? If locally, you need to have AWS CLI Set up, meaning in ~.awc/credentials have properties for secret key, access key and region.
Hi @@SpringAcademy I was trying to run locally. Thaks for a valuable information.
@Spring Academy - if I want to run it on local system, can you suggest a way to setup region explicitly if possible to fix this problem
Great, give an application FULL grants over RDS... Bad idea.