Recently our development team has been experimenting with ways to store license key securely, and one of it is storing the license key on AWS Secrets Manager, which is the equivalent of similar tooling like HashiCorp Vault and Azure Key Vault.
Since the key is now stored on a secure platform, we then removed the license key itself from the New Relic YAML configuration file.
So on application startup, the application would use AWS SDK to fetch the license key from AWS Secrets Manager, and then set the related system property via
But since New Relic Java agent is implemented as Java Agent, the agent would start up much earlier than the application itself, which it will then attempt to read the license key. Since the license key has already been removed from the configuration file, and it is only available during app startup (which is after the agent has started), the agent would fail to start.
Hence, setting the license key programmatically via
System.setProperty allows the license key to be accessed by the application, but not the Java Agent.
To allow both the application and Java Agent to access the license key, the key can be specified as system property on program invocation, i.e.
java -jar app.jar -javaagent:newrelic-agent.jar -Dnewrelic.config.license_key=$theLicenseKey.
This means the fetching of license key from AWS Secrets Manager has to be done outside of the application. We would need to utilise some script to fetch the license key beforehand, or storing the key in Kubernetes secrets (or sealed secrets), so we could invoke
app.jar and specify the license key via system property on program invocation.
Still, we want to centralise the logic for license key fetching and setting inside the application. Since New Relic Java agent is a Java Agent, this introduces some complication in achieving our desired setup.
New Relic Edit
- I want this too
- I have more info to share (reply below)
- I have a solution for this
We take feature ideas seriously and our product managers review every one when plotting their roadmaps. However, there is no guarantee this feature will be implemented. This post ensures the idea is put on the table and discussed though. So please vote and share your extra details with our team.