Spring Vault



Spring Vault provides familiar Spring abstractions and client-side support for accessing, storing and revoking secrets. It offers both low-level and high-level abstractions for interacting with Vault, freeing the user from infrastructural concerns.

With HashiCorp’s Vault you have a central place to manage external secret data for applications across all environments. Vault can manage static and dynamic secrets such as application data, username/password for remote applications/resources and provide credentials for external services such as MySQL, PostgreSQL, Apache Cassandra, Consul, AWS and more.


  • Spring configuration support using Java based @Configuration classes.

  • VaultTemplate helper class that increases productivity performing common Mongo operations. Includes integrated object mapping between documents and POJOs.

  • Supported authentication mechanisms:

    • Token

    • AppRole

    • AWS-EC2

    • AWS-IAM

    • Azure MSI

    • Certificates (PKI)

    • Cubbyhole

    • GCP-GCE

    • GCP-IAM

    • Kubernetes

    • Pivotal CloudFoundry

  • Annotation-based @VaultPropertySource integration

  • Support for renewable and rotating secrets

  • Feature Rich Object Mapping integrated with Spring’s Conversion Service

  • Annotation based mapping metadata but extensible to support other metadata formats

  • Automatic implementation of Repository interfaces including support for custom query methods.


class VaultConfiguration extends AbstractVaultConfiguration {

  public VaultEndpoint vaultEndpoint() {
    return new VaultEndpoint();

  public ClientAuthentication clientAuthentication() {
    return new TokenAuthentication("…");

Inject and use VaultTemplate

public class Example {

  // inject the actual template
  private VaultOperations operations;

  public void writeSecrets(String userId, String password) {

    Map<String, String> data = new HashMap<String, String>();
    data.put("password", password);

    operations.write(userId, data);

  public Person readSecrets(String userId) {

    VaultResponseSupport<Person> response =, Person.class);
    return response.getBody();

Vault PropertySource

@VaultPropertySource(value = "aws/creds/s3",
  propertyNamePrefix = "aws."
  renewal = Renewal.RENEW)
public class MyConfig {


public class Example {

  // inject the actual values
  private String awsAccessKey;

  private String awsSecretKey;

  public InputStream getFileFromS3(String filenname) {
    // …
Spring Initializr

Quickstart Your Project

Bootstrap your application with Spring Initializr.


Each Spring project has its own; it explains in great details how you can use project features and what you can achieve with them.
2.2.2 CURRENT GA Reference Doc. API Doc.
2.2.3 SNAPSHOT Reference Doc. API Doc.
2.1.6 SNAPSHOT Reference Doc. API Doc.
2.1.5 GA Reference Doc. API Doc.