This repository has been archived by the owner on Jan 19, 2022. It is now read-only.
This repository has been archived by the owner on Jan 19, 2022. It is now read-only.
Closed
Description
Secrets Manager integration is very opinionated and based on the reported issues I think our opinions don't match users needs.
Spring Cloud AWS Secrets Manager configuration expect secrets to follow a naming pattern:
{prefix}/{defaultContext}
{prefix}/{defaultContext}{profile-separator}{profile-1}
{prefix}/{defaultContext}{profile-separator}{profile-2}
{prefix}/{appName}
{prefix}/{appName}{profile-separator}{profile-1}
{prefix}/{appName}{profile-separator}{profile-2}
- Following this naming pattern is not always possible as different conventions may be used in users projects.
- It prevents users from loading secrets stored independently (think
some-api-keysecret) (Allow adding any arbitrary AWS Secrets Manager secrets #515). - It extends application startup time as secrets for each active profile is loaded
- Unless
fail-fastis set tofalse, users are forced to give permissions to read all expected secrets or application will fail to start. Iffail-fastis set tofalseusers may not notice that critical secrets have not been loaded (aws.secretsmanager.failFast should only fail application startup if reading all secrets has failed #468). - Even with
fail-fastset totrue, application still starts without an error if secret is not found.
See other Secret Manager related issues: https://github.com/spring-cloud/spring-cloud-aws/issues?q=is%3Aopen+is%3Aissue+label%3A%22component%3A+secrets-manager%22
This issue is mean to be a place to discuss if/how should we proceed with Secrets Manager integration