You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Describe the bug
I am using the following AWS Secrets Manager JDBC dependency:
com.amazonaws.secretsmanager aws-secretsmanager-jdbc 2.0.2
In my Spring Boot application, I’m trying to connect to a MySQL database using the jdbc-secretsmanager protocol. Here's my relevant configuration:
However, I encounter the following error on startup:
2025-07-31 07:02:14 INFO HikariPool-1 - Starting...
2025-07-31 07:02:14 WARN To use web identity tokens, the 'sts' service module must be on the class path.
2025-07-31 07:02:16 WARN HHH000342: Could not obtain connection to query metadata
com.zaxxer.hikari.pool.HikariPool$PoolInitializationException: Failed to initialize pool: Unable to load credentials from any of the providers in the chain AwsCredentialsProviderChain(credentialsProviders=[SystemPropertyCredentialsProvider(), EnvironmentVariableCredentialsProvider(), WebIdentityTokenCredentialsProvider(), ProfileCredentialsProvider(profileName=default, profileFile=ProfileFile(profilesAndSectionsMap=[])), ContainerCredentialsProvider(), InstanceProfileCredentialsProvider()]) : [SystemPropertyCredentialsProvider(): Unable to load credentials from system settings. Access key must be specified either via environment variable (AWS_ACCESS_KEY_ID) or system property (aws.accessKeyId)., EnvironmentVariableCredentialsProvider(): Unable to load credentials from system settings. Access key must be specified either via environment variable (AWS_ACCESS_KEY_ID) or system property (aws.accessKeyId)., WebIdentityTokenCredentialsProvider(): To use web identity tokens, the 'sts' service module must be on the class path., ProfileCredentialsProvider(profileName=default, profileFile=ProfileFile(profilesAndSectionsMap=[])): Profile file contained no credentials for profile 'default': ProfileFile(profilesAndSectionsMap=[]), ContainerCredentialsProvider(): Cannot fetch credentials from container - neither AWS_CONTAINER_CREDENTIALS_FULL_URI or AWS_CONTAINER_CREDENTIALS_RELATIVE_URI environment variables are set., InstanceProfileCredentialsProvider(): Failed to load credentials from IMDS.]
When I add the following dependency:
software.amazon.awssdk sts 2.20.93
The application starts successfully.
To Reproduce
Steps to reproduce the behavior:
Create a Spring Boot application using the aws-secretsmanager-jdbc driver.
Use a JDBC URL with the jdbc-secretsmanager:mysql prefix.
Do not include the sts dependency.
Run the application in an environment using IAM roles or web identity tokens.
Expected behavior
A description of what you expected to happen.
The application should connect to the database successfully by retrieving credentials from AWS Secrets Manager, without requiring manual addition of the sts dependency if using web identity tokens is a supported use case.
Environment:
Details about your environment (OS, Java version, AWS SDK version...)
OS: Amazon Linux / macOS / Windows
Java Version: OpenJDK 17
AWS SDK Version: 2.x
Failing Dependency: aws-secretsmanager-jdbc:2.0.2
Working With: software.amazon.awssdk:sts:2.20.93
Additional context
Add any other context about the problem here.
It appears that aws-secretsmanager-jdbc transitively depends on the AWS SDK v2, but does not include the sts module.
This causes failures in environments where the credentials provider chain includes WebIdentityTokenCredentialsProvider, unless sts is manually added.
Question: Is the sts module officially required when using IAM roles for service accounts or other web identity providers?
Also: Does this driver automatically refresh credentials upon Secrets Manager rotation, or are additional configurations needed to support that?
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
Uh oh!
There was an error while loading. Please reload this page.
-
Describe the bug
I am using the following AWS Secrets Manager JDBC dependency:
com.amazonaws.secretsmanager aws-secretsmanager-jdbc 2.0.2
In my Spring Boot application, I’m trying to connect to a MySQL database using the jdbc-secretsmanager protocol. Here's my relevant configuration:
spring.datasource.url=jdbc-secretsmanager:mysql://${DATABASE_HOST}:${DATABASE_PORT}/${DB_NAME}?nullCatalogMeansCurrent=true&createDatabaseIfNotExist=true&useUnicode=true&characterEncoding=utf-8&autoReconnect=true
spring.datasource.username=${DATABASE_USER}
However, I encounter the following error on startup:
2025-07-31 07:02:14 INFO HikariPool-1 - Starting...
2025-07-31 07:02:14 WARN To use web identity tokens, the 'sts' service module must be on the class path.
2025-07-31 07:02:16 WARN HHH000342: Could not obtain connection to query metadata
com.zaxxer.hikari.pool.HikariPool$PoolInitializationException: Failed to initialize pool: Unable to load credentials from any of the providers in the chain AwsCredentialsProviderChain(credentialsProviders=[SystemPropertyCredentialsProvider(), EnvironmentVariableCredentialsProvider(), WebIdentityTokenCredentialsProvider(), ProfileCredentialsProvider(profileName=default, profileFile=ProfileFile(profilesAndSectionsMap=[])), ContainerCredentialsProvider(), InstanceProfileCredentialsProvider()]) : [SystemPropertyCredentialsProvider(): Unable to load credentials from system settings. Access key must be specified either via environment variable (AWS_ACCESS_KEY_ID) or system property (aws.accessKeyId)., EnvironmentVariableCredentialsProvider(): Unable to load credentials from system settings. Access key must be specified either via environment variable (AWS_ACCESS_KEY_ID) or system property (aws.accessKeyId)., WebIdentityTokenCredentialsProvider(): To use web identity tokens, the 'sts' service module must be on the class path., ProfileCredentialsProvider(profileName=default, profileFile=ProfileFile(profilesAndSectionsMap=[])): Profile file contained no credentials for profile 'default': ProfileFile(profilesAndSectionsMap=[]), ContainerCredentialsProvider(): Cannot fetch credentials from container - neither AWS_CONTAINER_CREDENTIALS_FULL_URI or AWS_CONTAINER_CREDENTIALS_RELATIVE_URI environment variables are set., InstanceProfileCredentialsProvider(): Failed to load credentials from IMDS.]
When I add the following dependency:
software.amazon.awssdk sts 2.20.93
The application starts successfully.
To Reproduce
Steps to reproduce the behavior:
Create a Spring Boot application using the aws-secretsmanager-jdbc driver.
Use a JDBC URL with the jdbc-secretsmanager:mysql prefix.
Do not include the sts dependency.
Run the application in an environment using IAM roles or web identity tokens.
Expected behavior
A description of what you expected to happen.
The application should connect to the database successfully by retrieving credentials from AWS Secrets Manager, without requiring manual addition of the sts dependency if using web identity tokens is a supported use case.
Environment:
Details about your environment (OS, Java version, AWS SDK version...)
OS: Amazon Linux / macOS / Windows
Java Version: OpenJDK 17
AWS SDK Version: 2.x
Failing Dependency: aws-secretsmanager-jdbc:2.0.2
Working With: software.amazon.awssdk:sts:2.20.93
Additional context
Add any other context about the problem here.
It appears that aws-secretsmanager-jdbc transitively depends on the AWS SDK v2, but does not include the sts module.
This causes failures in environments where the credentials provider chain includes WebIdentityTokenCredentialsProvider, unless sts is manually added.
Question: Is the sts module officially required when using IAM roles for service accounts or other web identity providers?
Also: Does this driver automatically refresh credentials upon Secrets Manager rotation, or are additional configurations needed to support that?
Beta Was this translation helpful? Give feedback.
All reactions