Support pulling application.properties configuration and secrets from AWS SSM#1388
Merged
Conversation
| { | ||
| return SsmClient.builder() | ||
| .region(region) | ||
| .credentialsProvider(DefaultCredentialsProvider.create()) |
Contributor
There was a problem hiding this comment.
What is our deployment plan to inject the AWS credentials in production?
4 tasks
labkey-matthewb
approved these changes
May 28, 2026
|
While I think Claude is awesome, I always find it useful to get a
second opinion from Gemini which is getting better. And I posted the
feedback online and I found some of the feedback helpful.
Thanks,
…-Gokhan
On Fri, May 22, 2026 at 12:59 PM Josh Eckels ***@***.***> wrote:
Rationale
We can simplify configuration of cloud servers by pulling their config and
secrets directly from AWS SSM.
Related Pull Requests
- LabKey/platform#7671 <LabKey/platform#7671>
Changes
- New ssm: syntax to tell a property to pull value directly from SSM
- Support for JSON and flat values in SSM
- context.awsParameterStore.prefix and
context.awsParameterStore.secretsPrefix and support for relative SSM
paths
------------------------------
You can view, comment on, or merge this pull request online at:
#1388
Commit Summary
- 927e0d1
<927e0d1>
Support SSM-backed properties in application.properties and secrets
- b7a3b11
<b7a3b11>
Support SSM-backed properties in application.properties and secrets
- d84b6fb
<d84b6fb>
Assorted fixes
- a12a5c1
<a12a5c1>
Misc improvements
File Changes
(5 files <https://github.com/LabKey/server/pull/1388/files>)
- *M* .idea/inspectionProfiles/Project_Default.xml
<https://github.com/LabKey/server/pull/1388/files#diff-bbf0d02ebcf6764cae92fa4045a2d6f15f8a479cd1aa2ab4d1fd435a3aa74bbd>
(5)
- *M* gradle.properties
<https://github.com/LabKey/server/pull/1388/files#diff-3d103fc7c312a3e136f88e81cef592424b8af2464c468116545c4d22d6edcf19>
(2)
- *M* server/embedded/build.gradle
<https://github.com/LabKey/server/pull/1388/files#diff-bac972eb09d020c3a12c1a984a9eb7291704e635ac93b82ee6f1ccfa088e9c8d>
(4)
- *A* server/embedded/src/main/resources/META-INF/spring.factories
<https://github.com/LabKey/server/pull/1388/files#diff-7fd5fe1ac69ae91105610bad6bc6d2af81d56dc2174a3582689b8a5baaaffdd3>
(2)
- *A*
server/embedded/src/org/labkey/embedded/AwsParameterStoreEnvironmentPostProcessor.java
<https://github.com/LabKey/server/pull/1388/files#diff-d762d1c9c959a9064be9d177aab355de6269f4802bd1c8b56584ae987d899401>
(296)
Patch Links:
- https://github.com/LabKey/server/pull/1388.patch
- https://github.com/LabKey/server/pull/1388.diff
—
Reply to this email directly, view it on GitHub
<#1388>, or unsubscribe
<https://github.com/notifications/unsubscribe-auth/CDF42OKCJ3LUFUECIYCIYST44CWTXAVCNFSM6AAAAACZJXAEM6VHI2DSMVQWIX3LMV43ASLTON2WKOZUGUYDKMRZGIYTGMI>
.
Triage notifications on the go with GitHub Mobile for iOS
<https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675>
or Android
<https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>.
You are receiving this because your review was requested.Message ID:
***@***.***>
|
Contributor
Author
|
The downside of this approach to support pulling configuration from AWS SSM is that it pulls in a bunch of transitive dependencies via the AWS SDK. Baseline set of JARs: Expanded set: It also made me update the embedded project's build to ensure it picks up our forced version of Netty to fix CVEs. The good news is that the OWASP checker flagged the usage of the older version. @labkey-susanh I'd appreciate a quick check on the change here: |
Contributor
|
Change in that commit looks good to me. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Rationale
We can simplify configuration of cloud servers by pulling their config and secrets directly from AWS SSM.
Related Pull Requests
Changes
ssm:syntax to tell a property to pull value directly from SSMcontext.awsParameterStore.prefixandcontext.awsParameterStore.secretsPrefixand support for relative SSM paths