What?
Pull some configuration for a spring boot app out of AWS' EC2 parameter store. The config is a database password encrypted using KMS.
Background
AWS blog describes the Parameter Store component of the Systems Manager:
you can also use it as a generic secret management store
Another post describes populating the secrets (or other config) from a build pipeline.
Approach
Use PropertySourceLocator from spring-cloud-commons. Approach copied from spring-cloud-vault's VaultBootstrapConfiguration.
Instructions
You will need:
- An AWS account with your credentials sitting in ~/.aws/credentials. Or anywhere else the java-aws-sdk can find them.
- docker or just plain old mysql running on port 3306
Start a transient mysql instance:
docker run --rm -it -p 3306:3306 -e MYSQL_ROOT_PASSWORD=insecure mysql
docker exec mysql mysql -uroot -pinsecure --execute 'create database demo_db;'
Store an encrypted password in EC2 parameter store:
aws ssm put-parameter --name "db.password" --type "SecureString" --value "insecure"
You should be able to run the app (AwsSsmDemoApplication) Break it by changing the password:
aws ssm put-parameter --name "db.password" --type "SecureString" --value "letmein" --overwrite