Spring Vault
2.3.0Introduction
Spring Vault provides familiar Spring abstractions and client-side support for accessing, storing and revoking secrets. It offers both low-level and high-level abstractions for interacting with Vault, freeing the user from infrastructural concerns.
With HashiCorp’s Vault you have a central place to manage external secret data for applications across all environments. Vault can manage static and dynamic secrets such as application data, username/password for remote applications/resources and provide credentials for external services such as MySQL, PostgreSQL, Apache Cassandra, Consul, AWS and more.
Features
-
Spring configuration support using Java based @Configuration classes.
-
VaultTemplatehelper class that increases productivity performing common Mongo operations. Includes integrated object mapping between documents and POJOs. -
Supported authentication mechanisms:
-
Token
-
AppRole
-
AWS-EC2
-
AWS-IAM
-
Azure MSI
-
Certificates (PKI)
-
Cubbyhole
-
GCP-GCE
-
GCP-IAM
-
Kubernetes
-
Pivotal CloudFoundry
-
-
Annotation-based
@VaultPropertySourceintegration -
Support for renewable and rotating secrets
-
Feature Rich Object Mapping integrated with Spring’s Conversion Service
-
Annotation based mapping metadata but extensible to support other metadata formats
-
Automatic implementation of Repository interfaces including support for custom query methods.
Configure VaultTemplate
@Configuration
class VaultConfiguration extends AbstractVaultConfiguration {
@Override
public VaultEndpoint vaultEndpoint() {
return new VaultEndpoint();
}
@Override
public ClientAuthentication clientAuthentication() {
return new TokenAuthentication("…");
}
}Inject and use VaultTemplate
public class Example {
// inject the actual template
@Autowired
private VaultOperations operations;
public void writeSecrets(String userId, String password) {
Map<String, String> data = new HashMap<String, String>();
data.put("password", password);
operations.write(userId, data);
}
public Person readSecrets(String userId) {
VaultResponseSupport<Person> response = operations.read(userId, Person.class);
return response.getBody();
}
}Vault PropertySource
@VaultPropertySource(value = "aws/creds/s3",
propertyNamePrefix = "aws."
renewal = Renewal.RENEW)
public class MyConfig {
}
public class Example {
// inject the actual values
@Value("${aws.access_key}")
private String awsAccessKey;
@Value("${aws.secret_key}")
private String awsSecretKey;
public InputStream getFileFromS3(String filenname) {
// …
}
}Spring Boot Config
Documentation
| 2.3.0 CURRENT GA | Reference Doc. | API Doc. |
| 2.3.0-SNAPSHOT SNAPSHOT | ||
| 2.3.0-M1 PRE | Reference Doc. | API Doc. |
| 2.2.3.BUILD-SNAPSHOT SNAPSHOT | ||
| 2.2.2.RELEASE GA | Reference Doc. | API Doc. |
| 2.1.6.BUILD-SNAPSHOT SNAPSHOT | ||
| 2.1.5.RELEASE GA | Reference Doc. | API Doc. |
A few examples to try out:
- Samples Spring Vault and Spring Cloud Vault samples
- Guide: Retrieve sensitive configuration from Vault This guide walks you through the process of using Spring Cloud Vault to build an application that retrieves its configuration properties from HashiCorp Vault.
- Accessing Vault This guide walks you through the process of using Spring Vault to build an application that loads secrets from HashiCorp Vault, a secrets management tool.