This guide walks you through the process of using Spring Cloud Vault to build an application that retrieves its configuration properties from HashiCorp Vault.
What you’ll build
You’ll start up Vault, store configuration properties inside Vault, build a Spring application and connect it with Vault.
What you’ll need
Install and launch HashiCorp Vault
With your project set up, you can install and launch HashiCorp Vault.
If you are using a Mac with homebrew, this is as simple as:
$ brew install vault
Alternatively, download Vault for your operating system from https://www.vaultproject.io/downloads.html:
$ https://releases.hashicorp.com/vault/1.12.2/vault_1.12.2_darwin_amd64.zip $ unzip vault_1.12.2_darwin_amd64.zip
For other systems with package management, such as Redhat, Ubuntu, Debian, CentOS, and Windows, see instructions at https://www.vaultproject.io/docs/install/index.html.
After you install Vault, launch it in a console window. This command also starts up a server process.
$ vault server --dev --dev-root-token-id="00000000-0000-0000-0000-000000000000"
You should see the following as one of the last output lines:
[INFO ] core: post-unseal setup complete
|
Note
|
The command above starts Vault in development mode using in-memory storage without transport encryption. This is fine for evaluating Vault locally. Make sure to use proper SSL certificates and a reliable storage backend for production use. Consult Vault’s Production Hardening guide for further details. |
Store configuration in Vault
Vault is a secrets management system allowing you to store sensitive data which is encrypted at rest. It’s ideal to store sensitive configuration details such as passwords, encryption keys, API keys.
Launch another console window to store application configuration in Vault using the Vault command line.
First, you need to set two environment variables to point the Vault CLI to the Vault endpoint and provide an authentication token.
$ export export VAULT_TOKEN="00000000-0000-0000-0000-000000000000" $ export VAULT_ADDR="http://127.0.0.1:8200"
Now you can store a configuration key-value pairs inside Vault:
$ vault kv put secret/gs-vault-config example.username=demouser example.password=demopassword $ vault kv put secret/gs-vault-config/cloud example.username=clouduser example.password=cloudpassword
Now you have written two entries in Vault secret/gs-vault-config and secret/gs-vault-config/cloud.
Define your configuration class
Create a simple configuration for your Spring application:
src/main/java/hello/MyConfiguration.java
link:complete/src/main/java/hello/MyConfiguration.java[]Configure your application
Here you configure your application with application.properties. The code below uses Spring Boot’s Config Data API which allows importing configuration from Vault.
src/main/resources/application.properties
link:complete/src/main/resources/application.properties[]Create an Application class
Here you create an Application class with all the components.
src/main/java/hello/Application.java
link:complete/src/main/java/hello/Application.java[]Spring Cloud Vault uses VaultOperations to interact with Vault. Properties from Vault get mapped to
MyConfiguration for type-safe access. @EnableConfigurationProperties(MyConfiguration.class) enables configuration property
mapping and registers a MyConfiguration bean.
Application includes a main() method that autowires an instance of MyConfiguration.
https://raw.githubusercontent.com/spring-guides/getting-started-macros/main/build_an_executable_jar_mainhead.adoc https://raw.githubusercontent.com/spring-guides/getting-started-macros/main/build_an_executable_jar_with_both.adoc
As our Application implements CommandLineRunner, the run method is invoked automatically when boot
starts. You should see something like this:
----------------------------------------
Configuration properties
example.username is demouser
example.password is demopassword
----------------------------------------
Now start your application with the cloud profile activated. You should see something like this:
----------------------------------------
Configuration properties
example.username is clouduser
example.password is cloudpassword
----------------------------------------
Configuration properties are bound according to the activated profiles. Spring Cloud Vault constructs a Vault context path
from spring.application.name which is gs-vault and appends the profile name (cloud) so enabling the cloud profile
will fetch additionally configuration properties from secret/gs-vault-config/cloud.
Summary
Congratulations! You set up a Vault server and wrote a simple application that uses Spring Vault to read secrets into configuration properties and encrypt data with a strong cipher — all without the headache of implementing key management, a cipher mode, and padding.