Created
June 17, 2025 09:48
-
-
Save stephankoelle/09a4879cba36d8e180d0a14c88886909 to your computer and use it in GitHub Desktop.
Integrating AWS Secrets Manager for Secure Secrets Management in Quarkus application.properties
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| package de.sk; | |
| import io.quarkus.runtime.annotations.StaticInitSafe; | |
| import org.eclipse.microprofile.config.spi.ConfigSource; | |
| import org.slf4j.Logger; | |
| import org.slf4j.LoggerFactory; | |
| import software.amazon.awssdk.auth.credentials.DefaultCredentialsProvider; | |
| import software.amazon.awssdk.regions.Region; | |
| import software.amazon.awssdk.services.secretsmanager.SecretsManagerClient; | |
| import software.amazon.awssdk.services.secretsmanager.model.GetSecretValueRequest; | |
| import software.amazon.awssdk.services.secretsmanager.model.GetSecretValueResponse; | |
| import java.util.*; | |
| /* | |
| https://quarkus.io/guides/config-extending-support | |
| */ | |
| //@StaticInitSafe ?? | |
| public class AwsSecretsManagerConfigSource implements ConfigSource { | |
| public static final String PREFIX = "aws-secretsmanager//"; | |
| private static final Logger log = LoggerFactory.getLogger(AwsSecretsManagerConfigSource.class); | |
| public String getSecretFromSecretManager(String secretName) { | |
| // Initialize AWS Secrets Manager client | |
| SecretsManagerClient client = SecretsManagerClient.builder() | |
| .region(Region.EU_CENTRAL_1) | |
| .credentialsProvider(DefaultCredentialsProvider.create()) | |
| .build(); | |
| if (secretName != null) { | |
| // Retrieve the secret value from AWS Secrets Manager | |
| GetSecretValueRequest request = GetSecretValueRequest.builder() | |
| .secretId(secretName) | |
| .build(); | |
| GetSecretValueResponse response = client.getSecretValue(request); | |
| // Assuming the secret is a JSON object, parse it into the configData map | |
| String secretString = response.secretString(); | |
| return secretString; | |
| } | |
| return null; | |
| } | |
| /*not needed?? https://github.com/quarkiverse/quarkus-google-cloud-services/blob/main/secret-manager/runtime/src/main/java/io/quarkiverse/googlecloudservices/secretmanager/runtime/config/SecretManagerConfigSource.java */ | |
| @Override | |
| public Set<String> getPropertyNames() { | |
| return Collections.emptySet(); | |
| } | |
| @Override | |
| public Map<String, String> getProperties() { | |
| return Collections.emptyMap(); | |
| } | |
| @Override | |
| public int getOrdinal() { | |
| return 275; | |
| } | |
| @Override | |
| public String getValue(String propertyName) { | |
| if(propertyName.startsWith(PREFIX)) { | |
| propertyName = propertyName.replace(PREFIX, ""); | |
| log.info("Fetch aws-secret for: {}", propertyName); | |
| return getSecretFromSecretManager(propertyName); | |
| } | |
| return null; | |
| } | |
| @Override | |
| public String getName() { | |
| return AwsSecretsManagerConfigSource.class.getSimpleName(); | |
| } | |
| } | |
| + create: src/main/resources/META-INF/services/org.eclipse.microprofile.config.spi.ConfigSource | |
| with de.sk.AwsSecretsManagerConfigSource | |
| now you can in quarkus application.properties use: | |
| quarkus.oidc.credentials.secret=${aws-secretsmanager//quarkus-flow-app-auth0-secret} | |
| where quarkus-flow-app-auth0-secret is you secret name |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment