AWS Secrets Manager extension

It is easy to store credentials in the AWS Secrets Manager and use it, however, with this Quarkus extension it is even easier.

Comment 2

Inspiration

I use AWS Secrets Manager to store credentials all the time. In my recent project using Quarkus, I had to create a client and retrieve the credentials. It wasn't a big deal. But, I was so disappointed when I realized that the AWS Secret Manager SDK doesn't support GraalVM Native image. I wasn't able to build a native binary for my application. This was my big motivation to create an extension. I want to integrate my application with AWS Secrets Manager and be able to create a native binary to run my service, and I want to do it simply.

What it does

Allow you to integrate AWS Secrets Manager with Quarkus easily. The extension creates an AWS Secrets Manager client which can be injected using the annotation @Inject. This extension supports sync and async client. If inject the client is not easy enough, it is possible to use a custom tag to inject the secret from AWS to a string using the annotation @AWSSecretsManager.

Injecting Sync Client

    @Inject
    SecretsManagerClient client;

Injecting Async Client

    @Inject
    SecretsManagerAsyncClient asyncClient;

Injecting secret using AWS Secrets Manager Annotation

Allows injecting a secret from AWS Secrets Manager directly to a variable. It supports plaintext and binary secrets. The example store the secret from _ a-secret-id _ in the string _ secretId_.

    @AWSSecretsManager("a-secret-id")
    String secretId;

How I built it

I followed the extension documentation, and I took a look at existing extensions in the Quarkus repository. Furthermore, I used the Zulip channel.

Challenges I ran into

I faced a few challenges. The first one was to understand the architecture. But, the hardest challenge was to create a custom annotation to my extension. My goal was making it easy to use Secrets Manager and to achieve that, a custom annotation to inject a secret into a variable was essential.

Accomplishments that I'm proud of

I am happy that this extension allows developers to use AWS Secrets Manager with Quarkus and create a binary file with the project in an easy way, out of the box using a new annotation AWSSecretsManager. Now, developers don't have to code any line to retrieve secrets from Secrets Manager. They only need to use an annotation. For me, this is the big contribution of this extension.

What I learned

I have many learnings. I improve my knowledge about Quarkus. But, I think the best learning was to know how amazing is the community. I am pleasantly surprised. They were a helpful and active community. They answered my questions, and they worked on the bugs that I reported. After this project, I can say I would love to work for Red Hat.

What's next for AWS Secrets Manager extension

I would like to integrate this extension with the Credential Provider extension and provide the same functionality existing in Vault. Specifically, I would like to be able to create a DataSource with the credentials stored in AWS Secrets Manager.

Built With

Share this project:

Updates