Spring Vault3.0.2


Spring Vault provides familiar Spring abstractions and client-side support for accessing, storing and revoking secrets. It offers both low-level and high-level abstractions for interacting with Vault, freeing the user from infrastructural concerns.

With HashiCorp’s Vault you have a central place to manage external secret data for applications across all environments. Vault can manage static and dynamic secrets such as application data, username/password for remote applications/resources and provide credentials for external services such as MySQL, PostgreSQL, Apache Cassandra, Consul, AWS and more.


  • Spring configuration support using Java based @Configuration classes.

  • VaultTemplate helper class that increases productivity performing common Vault operations. Includes integrated object mapping between documents and POJOs.

  • Supported authentication mechanisms:

    • Token

    • AppRole

    • AWS-EC2

    • AWS-IAM

    • Azure MSI

    • Certificates (PKI)

    • Cubbyhole

    • GCP-GCE

    • GCP-IAM

    • Kubernetes

    • Pivotal CloudFoundry

  • Annotation-based @VaultPropertySource integration

  • Support for renewable and rotating secrets

  • Feature Rich Object Mapping integrated with Spring’s Conversion Service

  • Annotation based mapping metadata but extensible to support other metadata formats

  • Automatic implementation of Repository interfaces including support for custom query methods.

Configure VaultTemplate

class VaultConfiguration extends AbstractVaultConfiguration {

  public VaultEndpoint vaultEndpoint() {
    return new VaultEndpoint();

  public ClientAuthentication clientAuthentication() {
    return new TokenAuthentication("…");

Inject and use VaultTemplate

public class Example {

  // inject the actual template
  private VaultOperations operations;

  public void writeSecrets(String userId, String password) {

    Map<String, String> data = new HashMap<String, String>();
    data.put("password", password);

    operations.write(userId, data);

  public Person readSecrets(String userId) {

    VaultResponseSupport<Person> response = operations.read(userId, Person.class);
    return response.getBody();

Vault PropertySource

@VaultPropertySource(value = "aws/creds/s3",
  propertyNamePrefix = "aws."
  renewal = Renewal.RENEW)
public class MyConfig {


public class Example {

  // inject the actual values
  private String awsAccessKey;

  private String awsSecretKey;

  public InputStream getFileFromS3(String filenname) {
    // …
Spring Initializr

Quickstart Your Project

Get ahead

VMware offers training and certification to turbo-charge your progress.

Learn more

Get support

Spring Runtime offers support and binaries for OpenJDK™, Spring, and Apache Tomcat® in one simple subscription.

Learn more

Upcoming events

Check out all the upcoming events in the Spring community.

View all