Secrets Manager config import not using custom AWSSecretsManager bean

[sberss]

Type: Bug

Component:

Secrets Manager

Describe the bug
Version: 2.3.1

Hi 👋,

I'm having a problem with the new style of secrets retrieval that was introduced spring-attic/spring-cloud-aws#721. This new mechanism is great as it allows us more flexibility in how we store our secrets, however I am having an issue getting it to work with our spring cloud boostrap configuration class. We have a custom definition of the AWSSecretsManager bean as we need to do some custom configuration to get to the right secretsmanager (basically just SSO + role assumption). This worked great with the old method, but I cannot get it to work with the new method.

It seems in this new mechanism the AWSSecretsManager bean is created by calling a static method that registers the bean to the bootstrap context if it is absent, however it seems to think that the bean is absent despite me having defined the bean in our bootstrap configuration.

spring-cloud-aws/spring-cloud-starter-aws-secrets-manager-config/src/main/java/io/awspring/cloud/autoconfigure/secretsmanager/AwsSecretsManagerConfigDataLocationResolver.java

Lines 128 to 132 in 94ad5ac

	protected AWSSecretsManager createAwsSecretsManagerClient(BootstrapContext context) {
	AwsSecretsManagerProperties properties = context.get(AwsSecretsManagerProperties.class);
	return AwsSecretsManagerBootstrapConfiguration.createSecretsManagerClient(properties);
	}

spring-cloud-aws/spring-cloud-starter-aws-secrets-manager-config/src/main/java/io/awspring/cloud/autoconfigure/secretsmanager/AwsSecretsManagerConfigDataLocationResolver.java

Lines 122 to 126 in 94ad5ac

	protected <T> void registerBean(ConfigDataLocationResolverContext context, Class<T> type,
	BootstrapRegistry.InstanceSupplier<T> supplier) {
	ConfigurableBootstrapContext bootstrapContext = context.getBootstrapContext();
	bootstrapContext.registerIfAbsent(type, supplier);
	}

This is not behaving as I would expect it to, however my understanding here is quite limited and I may be completely misunderstanding what this is trying to do.

Sample
Here is a really dumb example that should illustrate my issue. The credentials are hard-coded in my AWSSecretsManager bean. This will not be used as the AwsSecretsManagerConfigDataLocationResolver builds the secretsmanager client itself, and thus I get an error that no credentials have been provided.

AwsSecretsManagerBootstrapConfiguration.java:

package com.example;

import com.amazonaws.auth.AWSStaticCredentialsProvider;
import com.amazonaws.auth.BasicSessionCredentials;
import com.amazonaws.services.secretsmanager.AWSSecretsManager;
import com.amazonaws.services.secretsmanager.AWSSecretsManagerClientBuilder;
import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
import org.springframework.cloud.aws.core.SpringCloudClientConfiguration;
import org.springframework.cloud.aws.secretsmanager.AwsSecretsManagerProperties;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;

@Configuration()
public class AwsSecretsManagerBootstrapConfiguration {

  @Bean
  @ConditionalOnMissingBean
  AWSSecretsManager smClient(AwsSecretsManagerProperties awsSecretsManagerProperties) {

    AWSSecretsManagerClientBuilder smClientBuilder =
        AWSSecretsManagerClientBuilder.standard()
            .withClientConfiguration(SpringCloudClientConfiguration.getClientConfiguration())
            .withRegion(awsSecretsManagerProperties.getRegion());

    BasicSessionCredentials sessionCredentials =
      new BasicSessionCredentials("REDACTEDACCESSKEY", "REDACTEDSECRETKEY");

    smClientBuilder.withCredentials(new AWSStaticCredentialsProvider(sessionCredentials));

    return smClientBuilder.build();
  }
}

resources/META-INF/spring.factories:

org.springframework.cloud.bootstrap.BootstrapConfiguration=com.example.AwsSecretsManagerBootstrapConfiguration

resources/bootstrap.properties:

...
spring.config.import=aws-secretsmanager:/foo/bar;/baz/qux;

[MatejNedic]

Hey @sbe-genomics,
there is one issue with using custom bean with ConfigDataLocationResolver and that is that you will have to register bean manually. Problem is that your bean in the example is being created at ApplicationContext time, but ConfigDataLocationResolver is resolved before the ApplicationContext phase. Currently, even if you register it manually, this will not work because of #108 which will soon be resolved.

[sberss]

Thanks for the response @MatejNedic.

Potentially daft question - how would you register the bean manually at the correct phase? Would I need to override AwsSecretsManagerConfigDataLocationResolver?

[MatejNedic]

Hey @sbe-genomics ,
You would have to use BootstrapRegistry and register your bean with it.
Hope this helps.