I'm on Spring boot and this is scenario:-
When I update (or rotate) my secrets, how does aws secret manager notify the
application that is using the secrets? I know I can fetch secret as done here.
I know if we use aws's own JDBC, then it notifies the app, don't know
how it does internally.
My goal is, how to notify , and make the app use the latest secrets, when I'm not
using aws's JDBC (that is, without using aws-secretsmanager-jdbc)
I want to use connection pooling, without messing up with JDBC (and c3b0), for which I would just refresh context and rebuild my mysql jpa config object (connection object) with latest secrets.
CodePudding user response:
At no point does SecretsManager do anything to "notify" your app. The Amazon JDBC driver just does a few things for you:
- Looks up the secret password value and caches it in memory
- Catches an authentication acceptation and tries to check for a new secret in SecretsManager when that happens
You would simply have to perform the same logic in your code if you don't want to use the AWS JDBC driver. Note that the AWS JDBC driver is just a wrapper around another JDBC driver, so the AWS JDBC driver would still be using your current JDBC driver to make the actual database connections.
CodePudding user response:
To properly support secret rotation, you should maintain two DB users with equivalent permissions:
- When the DB client is using user A, and the secret rotates, then secret rotation should change the password for user B. The credentials for user B will be published in the secret, but the old credentials for user A will continue to work until the secret rotates again.
- DB clients should make sure to refresh their credentials from secrets manager often enough that the ones they are using will never be invalid. They just have to be fresher than the rotation period.
- The next time the secret rotates, the clients will all be using user B, and secret rotation will change the password for user A and publish its new credentials.