Enable Dynamic Spring Cloud Config with Nacos and Secure Sensitive Settings via KMS

Spring Cloud applications commonly use the @Value annotation to inject properties from application.properties, but changes require a restart. Nacos provides a configuration center that can push updates at runtime, and Alibaba KMS can encrypt sensitive data stored in Nacos, eliminating the need for code modifications.

Typical @Value Usage

In a Spring Bean, properties are injected as follows:

@Component
public class AppConfig {
    @Value("${app.switch:false}")
    boolean switch;
    @Value("${app.threadhold}")
    double threadhold;
}

Changing the values in application.properties requires a restart, which is inefficient for frequently updated parameters.

Integrating Nacos for Dynamic Refresh

1. Add the Spring Cloud Alibaba Nacos config dependency:

<dependency>
    <groupId>com.alibaba.cloud</groupId>
    <artifactId>spring-cloud-starter-alibaba-nacos-config</artifactId>
    <version>${spring.cloud.alibaba.version}</version>
</dependency>

2. Create a Nacos dataId (e.g., pay-application.properties) in the core group and add the following to application.properties:

spring.config.import=nacos:pay-application.properties?group=core&refreshEnabled=true
spring.cloud.nacos.config.server-addr={server_addr}

3. Remove the local app.switch and app.threadhold entries.

4. Annotate the bean with @RefreshScope so that Spring refreshes the fields when Nacos pushes updates:

@Component
@RefreshScope
public class AppConfig {
    @Value("${app.switch:false}")
    boolean switch;
    @Value("${app.threadhold}")
    double threadhold;
}

After restarting, any change to the properties in Nacos is automatically reflected in the running application.

Zero‑Code Encryption with KMS

To protect sensitive data (e.g., DB credentials, tokens), split the configuration into two dataIds: pay-application.properties (group core) – non‑sensitive settings. cipher-kms-aes-256-pay-application.properties (group secret) – encrypted properties prefixed with encrypted..

Example encrypted file:

# Database configuration
encrypted.spring.datasource.driver-class-name=com.mysql.jdbc.Driver
encrypted.spring.datasource.url=jdbc:mysql://localhost:3306/mydatabase
encrypted.spring.datasource.username=user001
encrypted.spring.datasource.password=pass!@#$%

# Secret and token
encrypted.app.secret=test_GFYIdryujixxx
encrypted.key.token=test_eedsjpp56hko8h

Add the MSE KMS extension dependency:

<dependency>
    <groupId>com.alibaba.nacos</groupId>
    <artifactId>nacos-client-mse-extension</artifactId>
    <version>1.0.4</version>
</dependency>

Update application.properties to import both configurations and configure KMS parameters:

spring.config.import=nacos:cipher-kms-aes-256-pay-application.properties?group=secret&refreshEnabled=true,nacos:pay-application.properties?group=core&refreshEnabled=true
spring.cloud.nacos.config.server-addr={server_addr}
spring.cloud.nacos.config.kms_region_id=cn-hangzhou
spring.cloud.nacos.config.kmsEndpoint=kst-xxx.cryptoservice.kms.aliyuncs.com
spring.cloud.nacos.config.kmsVersion=v3.0
spring.cloud.nacos.config.kmsClientKeyFilePath=clientKey_hangzhou.json
spring.cloud.nacos.config.kmsPasswordKey=10xxxd1d
spring.cloud.nacos.config.kmsCaFilePath=clientKey_hangzhou.json

Reference the encrypted values in the original pay-application.properties using ${} placeholders, e.g.,

spring.datasource.password=${encrypted.spring.datasource.password}

. The application code remains unchanged; NacosClient decrypts the values via KMS at runtime.

Dynamic Refresh Mechanism

When refreshEnabled=true is set, Spring Cloud Alibaba (SCA) performs the following:

During container startup, SCA loads all configured Nacos property sources before any bean initialization.

After bean initialization, SCA registers listeners for the specified dataId/group tuples.

Upon a configuration change, Nacos pushes a notification; SCA receives it, fetches the new content, and publishes a RefreshEvent.

Spring’s ContextRefresher updates the Environment and triggers RefreshScopeRefreshedEvent, causing beans annotated with @RefreshScope (or @ConfigurationProperties) to be re‑instantiated with the latest values.

Property Source Priority

Spring resolves duplicate keys according to the standard order: JVM arguments > environment variables > Nacos (imported via spring.config.import) > local application.properties. Multiple imports are comma‑separated; earlier entries have lower priority.

Nacos Logging for Troubleshooting

Key log entries in {user.home}/logs/nacos/ include:

add-listener : confirms the application is listening to a specific dataId.

server-push : indicates a push event from the server.

data-received : shows the configuration payload received.

notify-listener / notify-ok / notify-error : reflect listener callback results.

Inspecting config.log helps verify connections, namespaces, groups, and whether updates are applied successfully.

Conclusion

By combining Nacos with Spring Cloud, developers gain real‑time configuration refresh without restarting services. Adding Alibaba KMS enables zero‑code encryption of sensitive properties, addressing security concerns while keeping the application code unchanged. The article also outlines the underlying initialization, listening, and refresh flow, property‑source precedence, and useful Nacos logs for debugging.