Can i access Secrets Manager from Tomcat

Question

We have a WAR file deployed on Tomcat and the database credentials are fetched through JNDI. This WAR now has to be moved to AWS cloud, and the requirement is db credentials has to be stored in AWS Secret Manager. My question is can I continue using JNDI/Tomcat along with Secret Manager ? I understand AWS SM has API and SDKs to access it, can that be integrated with JNDI/Tomcat somehow ? All posts I have seen mentions using the API/SDK directly from code, none i have found say anything about server integration. Is accessing AWS SM from code really the best way to do it ? Thanks.   
A side note - for some reason unknown to me, we cannot use BeanStalk, it is just Tomcat on an EC2 instance.

Answer

Maybe you could use the JDBC driver wrapper: https://github.com/aws/aws-secretsmanager-jdbc. If you are using a connection pool manager you can follow the example in the README and replace the JDBC library with the wrapper library, specifying the secret in the configuration. The wrapper will then retrieve the secret and pass it to the real JDBC library.  
  
If you are not using a connection pool manager, you could still replace the existing JDBC driver with the wrapper, but this would take some code modifications.  
  
By using the wrapper, you can also turn on auto-rotation on the DB password since the wrapper knows to re-fetch the secret after it changes.

Answer

Thank you JoeB. I am planning to use the wrapper in a customized JNDI component in Tomcat and see how it goes.

Can i access Secrets Manager from Tomcat

Relevanter Inhalt