Read most up-to-date secrets from AWS Secrets Manager about spring-cloud-config HOT 9 CLOSED

Sorry for not replying earlier. I'm going to work on PR. Just need more time.

from spring-cloud-config.

So you are basically asking if no label is provided in the request and no default label is set via a property you don't want to supply a version in GetSecretValueRequest? What happens is label is null?

from spring-cloud-config.

What I'm asking for is when label is provided as part of request such as

GET /foo/test/foo-1.0.0 HTP/1.1

do not forward that label to AWS Secrets Manager

.versionStage(label)

Whether it is going to be configurable or by extending the repository class.

from spring-cloud-config.

I am not sure why you would supply a label and not want to use it...

But you should be able to provide and use your own AwsSecretsManagerEnvironmentRepository

from spring-cloud-config.

The way AwsSecretsManagerEnvironmentRepository is created at the moment is by calling AwsSecretsManagerEnvironmentRepositoryFactory.build() method which has hardcoded

return new AwsSecretsManagerEnvironmentRepository(...)

This method depends on AwsClientBuilderConfigurer.configureClientBuilder(...) static method as well which is not visible outside of org.springframework.cloud.config.server.environment package.

So in order to do what you're suggesting (if I want to leverage existing process) I need to

1. Make a copy of AwsClientBuilderConfigurer.
2. Make a copy of AwsSecretsManagerEnvironmentRepositoryFactory. Use copy of AwsClientBuilderConfigurer. Change new AwsSecretsManagerEnvironmentRepository to new FooAwsSecretsManagerEnvironmentRepository.
3. Make a copy of AwsSecretsManagerEnvironmentRepository and delete .versionStage(label).

This is not ideal and I'm looking for better option.

The reason why I supply label is that I want to use it when reading properties from Git repository but want to ignore it when reading secrets from Secrets Manager as

1. I'm only interested in valid / up-to-date secrets such as database passwords etc. When rolling back my application from version 2.0 to previous version 1.0 it makes no sense to use password labeled as 1.0 which is not valid anymore (because it has changed since then due to rotation etc).
2. Limitation of AWS Secrets Manager. Having 100 applications each one deployed with a different version I'm able to create as many Git tags as required. However when labeling global secrets such as /secret/application/ I'm limited to 20 labels.

from spring-cloud-config.

AwsSecretsManagerEnvironmentRepositoryFactory should only be used if there isn't already a bean of type AwsSecretsManagerEnvironmentRespository
https://github.com/spring-cloud/spring-cloud-config/blob/4.0.x/spring-cloud-config-server/src/main/java/org/springframework/cloud/config/server/config/EnvironmentRepositoryConfiguration.java#L444

If you create your own bean of type AwsSecretsManagerEnvironmentRespository you should be able to customize it how you please.

If you want to make things easier, any PRs would be welcome to enhance the code.

from spring-cloud-config.

If you would like us to look at this issue, please provide the requested information. If the information is not provided within the next 7 days this issue will be closed.

from spring-cloud-config.

Let me know what do you this of this idea #2357.

from spring-cloud-config.

Closing due to #2358.

from spring-cloud-config.