Spring Cloud Config Read most up-to-date secrets from AWS Secrets Manager

When reading properties from multiple sources (like Git and Secrets Manager) one might send the following request to Spring Cloud Config Server

GET /foo/test/foo-1.0.0 HTP/1.1

where

foo - application name test - profile foo-1.0.0 - version/label

I would like to have option to tag Git repository as foo-1.0.0 to fetch versioned properties from Git repository but at the same time to fetch the most recent versions of secrets from the AWS Secrets Manager. The AwsSecretsManagerEnvironmentRepository is giving me only 2 options at the moment.

1. Read version off the request (provided as findOne(String application, String profileList, String label) label parameter).
2. Use the default one, that is environmentProperties.getDefaultLabel(), but only if label parameter is empty.

Would it be possible to overwrite/disable label by configuring the environmentProperties properties? Eventually turning

GetSecretValueRequest.builder()
                .secretId(path)
                .versionStage(label)
                .build()

into

GetSecretValueRequest.builder()
                .secretId(path)
                .build()

Having option to extend the AwsSecretsManagerEnvironmentRepository class and overwrite its functionality might work as well.

Comment From: ryanjbaxter

So you are basically asking if no label is provided in the request and no default label is set via a property you don't want to supply a version in GetSecretValueRequest? What happens is label is null?

Comment From: ojecborec

What I'm asking for is when label is provided as part of request such as

GET /foo/test/foo-1.0.0 HTP/1.1

do not forward that label to AWS Secrets Manager

~~.versionStage(label)~~

Whether it is going to be configurable or by extending the repository class.

Comment From: ryanjbaxter

I am not sure why you would supply a label and not want to use it...

But you should be able to provide and use your own AwsSecretsManagerEnvironmentRepository https://github.com/spring-cloud/spring-cloud-config/blob/22159980ca1dd30563d13a0fde8c0e9d23e11f0b/spring-cloud-config-server/src/main/java/org/springframework/cloud/config/server/config/EnvironmentRepositoryConfiguration.java#L444

Comment From: ojecborec

The way AwsSecretsManagerEnvironmentRepository is created at the moment is by calling AwsSecretsManagerEnvironmentRepositoryFactory.build() method which has hardcoded

return new AwsSecretsManagerEnvironmentRepository(...)

This method depends on AwsClientBuilderConfigurer.configureClientBuilder(...) static method as well which is not visible outside of org.springframework.cloud.config.server.environment package.

So in order to do what you're suggesting (if I want to leverage existing process) I need to

1. Make a copy of AwsClientBuilderConfigurer.
2. Make a copy of AwsSecretsManagerEnvironmentRepositoryFactory. Use copy of AwsClientBuilderConfigurer. Change new AwsSecretsManagerEnvironmentRepository to new FooAwsSecretsManagerEnvironmentRepository.
3. Make a copy of AwsSecretsManagerEnvironmentRepository and delete .versionStage(label).

This is not ideal and I'm looking for better option.

The reason why I supply label is that I want to use it when reading properties from Git repository but want to ignore it when reading secrets from Secrets Manager as

1. I'm only interested in valid / up-to-date secrets such as database passwords etc. When rolling back my application from version 2.0 to previous version 1.0 it makes no sense to use password labeled as 1.0 which is not valid anymore (because it has changed since then due to rotation etc).
2. Limitation of AWS Secrets Manager. Having 100 applications each one deployed with a different version I'm able to create as many Git tags as required. However when labeling global secrets such as /secret/application/ I'm limited to 20 labels.

Comment From: ryanjbaxter

AwsSecretsManagerEnvironmentRepositoryFactory should only be used if there isn't already a bean of type AwsSecretsManagerEnvironmentRespository https://github.com/spring-cloud/spring-cloud-config/blob/4.0.x/spring-cloud-config-server/src/main/java/org/springframework/cloud/config/server/config/EnvironmentRepositoryConfiguration.java#L444

If you create your own bean of type AwsSecretsManagerEnvironmentRespository you should be able to customize it how you please.

If you want to make things easier, any PRs would be welcome to enhance the code.

Comment From: spring-cloud-issues

If you would like us to look at this issue, please provide the requested information. If the information is not provided within the next 7 days this issue will be closed.

Comment From: ojecborec

Sorry for not replying earlier. I'm going to work on PR. Just need more time.

Comment From: ojecborec

Let me know what do you this of this idea https://github.com/spring-cloud/spring-cloud-config/pull/2357.

Comment From: ojecborec

Closing due to https://github.com/spring-cloud/spring-cloud-config/pull/2358.