spring-cloud-aws icon indicating copy to clipboard operation
spring-cloud-aws copied to clipboard

Published 20 hours ago verified publisher icon spring-attic

aws.secretsmanager.failFast should only fail application startup if reading all secrets has failed

Open wiktorolko opened this issue 6 years ago • 2 comments

Enhancement

In AwsSecretsManagerPropertySourceLocator following secrets are read:

  • /secret/service_profile
  • /secret/service
  • /secret/application_profile
  • /secret/application

If aws.secretsmanager.failFast == true (default) and application fails to read any of the secrets from the list above, the application fails.

I believe it would make more sense to fail the application only if all reads fail. To put it in another words: if reading at least one secret succeeds, then application continues successfully.

wiktorolko avatar May 14 '19 12:05 wiktorolko

I think this would be a useful default as well. Currently you're forced to implement unnecessarily complex IAM permissions for your service as well so it can read all secrets for all (allowed) profiles.

ghost avatar Aug 12 '19 06:08 ghost

It gets worse. If I use spring.profiles.include like so:

# application-prod.yaml
spring:
  profiles:
    include: cloud

then it appears that I need all of the following secrets to be defined and accessible:

  • /secret/service_prod
  • /secret/service_cloud
  • /secret/service
  • /secret/application_prod
  • /secret/application_cloud
  • /secret/application

This tight coupling between where I store secrets and how I decide to structure my Spring profiles doesn't make sense to me.

ianfp avatar Mar 04 '20 22:03 ianfp