How to Securely Connect Your Spring Boot App to PostgreSQL with AWS Secrets Manager — No More Hardcoded Credentials

Hardcoding database credentials is a practice we all want to avoid — yet it still happens.

With Spring Boot and AWS Secrets Manager, you can eliminate plain-text secrets in your application.properties while keeping your configuration simple and flexible.

In this post, you’ll learn:

✅ How we usually configure a PostgreSQL connection with hardcoded values
✅ How to replace them with a Secrets Manager integration using spring-cloud-aws-starter-secrets-manager
✅ How the spring.config.import property lets you pull secrets automatically — no extra boilerplate

Let’s dive in.

🎯 The Traditional Way: Hardcoded Properties

A typical application.properties for connecting to PostgreSQL might look like this:

spring.datasource.url=jdbc:postgresql://localhost:5432/mydb
spring.datasource.username=myuser
spring.datasource.password=mypassword
spring.datasource.driver-class-name=org.postgresql.Driver

This works, but it’s risky:

  • Credentials are visible in your source code or version control.
  • Changing them means new commits and deployments.
  • Rotating them securely becomes a hassle.

✅ The Better Way: Use AWS Secrets Manager

Let’s make this more secure and cloud-native by moving the credentials to AWS Secrets Manager.

Step 1️⃣ — Create Your Secret in AWS Secrets Manager

In the AWS Console:

  1. Go to Secrets Manager → Store a new secret
  2. Choose Other type of secrets
  3. Store your credentials like this: { "username": "myuser", "password": "mypassword", "url": "jdbc:postgresql://localhost:5432/mydb" }
  4. Give it a name like local/db.

There’s a convention naming secrets on Secrets Manager that is slash based (/) starting with the environment name and then something meaningful. In our case, we’re going to connect to our local db, so it becomes local/db (even though, in real world we don’t store local db secrets to Secrets Manager, but for other environments such as dev , qa and prod ). This is just an example.

🧠 Pro Tip: Rename Your Keys

To make your integration seamless, rename the keys in Secrets Manager to match the Spring property names exactly.

So instead of:

{
  "username": "...",
  "password": "...",
  "url": "..."
}

Rename them:

{
  "spring.datasource.username": "myuser",
  "spring.datasource.password": "mypassword",
  "spring.datasource.url": "jdbc:postgresql://localhost:5432/mydb"
}

Why? Because when Spring pulls secrets, these will override the properties at runtime.

No need to map them manually!

Step 2️⃣ — Add the Spring Cloud AWS Dependency

Add this to your pom.xml:

<dependencyManagement>
	<dependencies>
		<dependency>
			<groupId>io.awspring.cloud</groupId>
			<artifactId>spring-cloud-aws-dependencies</artifactId>
			<version>3.4.0</version>
			<type>pom</type>
			<scope>import</scope>
		</dependency>
	</dependencies>
</dependencyManagement>

<dependencies>
	<dependency>
    <groupId>io.awspring.cloud</groupId>
    <artifactId>spring-cloud-aws-starter-secrets-manager</artifactId>
	</dependency>
</dependencies>

This starter automatically resolves your secrets into Spring’s Environment.

Step 3️⃣ — Import Secrets Using spring.config.import

Now you don’t need to specify your DB credentials explicitly anymore.

Instead, tell Spring Boot to load them from Secrets Manager:

spring.config.import=aws-secretsmanager:local/db

That’s it!

  • Spring Boot will fetch spring.datasource.username, spring.datasource.password, and spring.datasource.url from Secrets Manager at runtime.
  • No hardcoded values.
  • No extra config classes or beans needed.

We have multiple ways to authenticate with AWS to retrieve the secrets. Usually, for local enviroments, we go with AWS CLI.

By installing and configuring it, you can seamless and automatic authenticate when your app starts. No extra code needed.

🧪 Example: Validate That It Works

To demonstrate that these values are being pulled correctly, let’s create a simple CredentialsController that exposes them in a GET request.

⚠️ HUGE CALLOUT:
☝️ NEVER expose credentials like this in a real-world application.

This is for demonstration purposes only, to verify that your integration works.

CredentialsController Example

import org.springframework.beans.factory.annotation.Value;
import org.springframework.http.ResponseEntity;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RestController;

import java.util.Map;

@RestController
public class CredentialsController {

    @Value("${spring.datasource.username}")
    private String username;

    @Value("${spring.datasource.password}")
    private String password;

    @Value("${spring.datasource.url}")
    private String url;

    @GetMapping("/credentials")
    public ResponseEntity<?> get() {
        return ResponseEntity.ok(Map.of(
                "spring.datasource.username", username,
                "spring.datasource.password", password,
                "spring.datasource.url", url
        ));
    }
}

When you hit /credentials, you should see your secrets resolved from AWS Secrets Manager.

Again — this is only for validation, not for production!

🔄 Quick Recap: Your Secure Setup

Secrets stored in AWS Secrets Manager.
Property keys match Spring’s expected names (spring.datasource.*).
spring-cloud-aws-starter-secrets-manager pulls secrets at runtime automatically.
✅ No hardcoded credentials in your Git repo!

✅ Final Thoughts

Integrating AWS Secrets Manager with Spring Boot is one of the simplest ways to level up your app’s security posture — especially with the spring-cloud-aws-starter-secrets-manager starter.

No more committing secrets to version control.
No more configuration drift across environments.

Just clean, secure, cloud-native secret management — done right.