This guide walks you through the process of using Spring Vault to build an application that loads secrets from HashiCorp Vault, a secrets management tool.
What you’ll build
You will load secrets stored in Vault and use the transit encryption backend.
What you’ll need
Install and launch HashiCorp Vault
With your project set up, you can install and launch HashiCorp Vault.
If you are using a Mac with homebrew, this is as simple as:
$ brew install vault
Alternatively, download Vault for your operating system from https://www.vaultproject.io/downloads.html:
$ https://releases.hashicorp.com/vault/1.12.2/vault_1.12.2_darwin_amd64.zip $ unzip vault_1.12.2_darwin_amd64.zip
For other systems with package management, such as Redhat, Ubuntu, Debian, CentOS, and Windows, see instructions at https://www.vaultproject.io/docs/install/index.html.
After you install Vault, launch it in a console window. This command also starts up a server process.
$ vault server --dev --dev-root-token-id="00000000-0000-0000-0000-000000000000"
You should see the following as one of the last output lines:
[INFO ] core: post-unseal setup complete
|
Note
|
The command above starts Vault in development mode using in-memory storage without transport encryption. This is fine for evaluating Vault locally. Make sure to use proper SSL certificates and a reliable storage backend for production use. Consult Vault’s Production Hardening guide for further details. |
Store secrets in Vault
Vault is a secrets management system allowing you to store sensitive data which is encrypted at rest. It’s ideal to store sensitive configuration details such as passwords, encryption keys, API keys.
Launch another console window to store application configuration in Vault using the Vault command line.
First, you need to set two environment variables to point the Vault CLI to the Vault endpoint and provide an authentication token.
$ export VAULT_TOKEN="00000000-0000-0000-0000-000000000000" $ export VAULT_ADDR="http://127.0.0.1:8200"
Now you can store a configuration key-value pairs inside Vault:
$ vault kv put secret/github github.oauth2.key=foobar
Configure your application
Here you configure your application with application.properties. Spring Cloud Vault is configured with the bootstrap context.
src/main/resources/application.properties
link:complete/src/main/resources/application.properties[]Create an Application class
Here you create an Application class with all the components.
src/main/java/hello/Application.java
link:complete/src/main/java/hello/Application.java[]Spring Cloud Vault uses VaultOperations to interact with Vault. Properties from Vault get mapped to
MyConfiguration for type-safe access. @EnableConfigurationProperties(MyConfiguration.class) enables configuration property
mapping and registers a MyConfiguration bean.
Application includes a main() method that autowires an instance of MyConfiguration.
https://raw.githubusercontent.com/spring-guides/getting-started-macros/main/build_an_executable_jar_mainhead.adoc https://raw.githubusercontent.com/spring-guides/getting-started-macros/main/build_an_executable_jar_with_both.adoc
As our Application implements CommandLineRunner, the run method is invoked automatically when boot
starts. You should see something like this:
Value of github.oauth2.key ------------------------------- foobar ------------------------------- Encrypted value ------------------------------- vault:v1:2wgVE2PXiR9o55xbyur5KHJl8IwyGDkDU4l1SZScUq6BuqZYgTopwvc4 ------------------------------- Decrypted value ------------------------------- Secure message -------------------------------
|
Note
|
Vault’s secret backend compares well to a document store that uses URIs to identify documents. Documents are JSON-based that allows convenient object mapping of Vault data. |
Summary
Congratulations! You set up a Vault server and wrote a simple application that uses Spring Vault to read secrets and encrypt data with a strong cipher — all without the headache of implementing key management, a cipher mode, and padding.