Introduction

Spring Vault provides familiar Spring abstractions and client-side support for accessing, storing and revoking secrets. It offers both low-level and high-level abstractions for interacting with Vault, freeing the user from infrastructural concerns.

With HashiCorp’s Vault you have a central place to manage external secret data for applications across all environments. Vault can manage static and dynamic secrets such as application data, username/password for remote applications/resources and provide credentials for external services such as MySQL, PostgreSQL, Apache Cassandra, Consul, AWS and more.

Features

  • Spring configuration support using Java based @Configuration classes.

  • VaultTemplate helper class that increases productivity performing common Mongo operations. Includes integrated object mapping between documents and POJOs.

  • Supported authentication mechanisms:

    • Token

    • AppRole

    • AWS-EC2

    • AWS-IAM

    • Azure MSI

    • Certificates (PKI)

    • Cubbyhole

    • GCP-GCE

    • GCP-IAM

    • Kubernetes

    • Pivotal CloudFoundry

  • Annotation-based @VaultPropertySource integration

  • Support for renewable and rotating secrets

  • Feature Rich Object Mapping integrated with Spring’s Conversion Service

  • Annotation based mapping metadata but extensible to support other metadata formats

  • Automatic implementation of Repository interfaces including support for custom query methods.

Configure` VaultTemplate`

@Configuration
class VaultConfiguration extends AbstractVaultConfiguration {

  @Override
  public VaultEndpoint vaultEndpoint() {
    return new VaultEndpoint();
  }

  @Override
  public ClientAuthentication clientAuthentication() {
    return new TokenAuthentication("…");
  }
}

Inject and use VaultTemplate

public class Example {

  // inject the actual template
  @Autowired
  private VaultOperations operations;

  public void writeSecrets(String userId, String password) {

    Map<String, String> data = new HashMap<String, String>();
    data.put("password", password);

    operations.write(userId, data);
  }

  public Person readSecrets(String userId) {

    VaultResponseSupport<Person> response = operations.read(userId, Person.class);
    return response.getBody();
    }
}

Vault PropertySource

@VaultPropertySource(value = "aws/creds/s3",
  propertyNamePrefix = "aws."
  renewal = Renewal.RENEW)
public class MyConfig {

}

public class Example {

  // inject the actual values
  @Value("${aws.access_key}")
  private String awsAccessKey;

  @Value("${aws.secret_key}")
  private String awsSecretKey;

  public InputStream getFileFromS3(String filenname) {
    // …
  }
}

Quick start

Bootstrap your application with Spring Initializr.

Documentation

Each Spring project has its own; it explains in great details how you can use project features and what you can achieve with them.
2.1.3 CURRENT GA Reference Doc. API Doc.
2.2.0 M1 PRE Reference Doc. API Doc.
2.2.0 SNAPSHOT Reference Doc. API Doc.
2.1.4 SNAPSHOT Reference Doc. API Doc.