This guide walks you through the process of using Spring Cloud Vault to build an application that retrieves its configuration properties from HashiCorp Vault.
You’ll start up Vault, store configuration properties inside Vault, build a Spring application and connect it with Vault.
With your project set up, you can install and launch HashiCorp Vault.
If you are using a Mac with homebrew, this is as simple as:
$ brew install vault
Alternatively, download Vault for your operating system from https://www.vaultproject.io/downloads.html:
$ https://releases.hashicorp.com/vault/1.12.2/vault_1.12.2_darwin_amd64.zip $ unzip vault_1.12.2_darwin_amd64.zip
For other systems with package management, such as Redhat, Ubuntu, Debian, CentOS, and Windows, see instructions at https://www.vaultproject.io/docs/install/index.html.
After you install Vault, launch it in a console window. This command also starts up a server process.
$ vault server --dev --dev-root-token-id="00000000-0000-0000-0000-000000000000"
You should see the following as one of the last output lines:
[INFO ] core: post-unseal setup complete
Note
|
The command above starts Vault in development mode using in-memory storage without transport encryption. This is fine for evaluating Vault locally. Make sure to use proper SSL certificates and a reliable storage backend for production use. Consult Vault’s Production Hardening guide for further details. |
Vault is a secrets management system allowing you to store sensitive data which is encrypted at rest. It’s ideal to store sensitive configuration details such as passwords, encryption keys, API keys.
Launch another console window to store application configuration in Vault using the Vault command line.
First, you need to set two environment variables to point the Vault CLI to the Vault endpoint and provide an authentication token.
$ export VAULT_TOKEN="00000000-0000-0000-0000-000000000000" $ export VAULT_ADDR="http://127.0.0.1:8200"
Now you can store a configuration key-value pairs inside Vault:
$ vault kv put secret/gs-vault-config example.username=demouser example.password=demopassword $ vault kv put secret/gs-vault-config/cloud example.username=clouduser example.password=cloudpassword
Now you have written two entries in Vault secret/gs-vault-config
and secret/gs-vault-config/cloud
.
Create a simple configuration for your Spring application:
src/main/java/hello/MyConfiguration.java
link:complete/src/main/java/hello/MyConfiguration.java[role=include]
Here you configure your application with application.properties
. The code below uses Spring Boot’s Config Data API which allows importing configuration from Vault.
src/main/resources/application.properties
link:complete/src/main/resources/application.properties[role=include]
Here you create an Application class with all the components.
src/main/java/hello/Application.java
link:complete/src/main/java/hello/Application.java[role=include]
Spring Cloud Vault uses VaultOperations
to interact with Vault. Properties from Vault get mapped to
MyConfiguration
for type-safe access. @EnableConfigurationProperties(MyConfiguration.class)
enables configuration property
mapping and registers a MyConfiguration
bean.
Application
includes a main()
method that autowires an instance of MyConfiguration
.
https://raw.githubusercontent.com/spring-guides/getting-started-macros/main/build_an_executable_jar_mainhead.adoc https://raw.githubusercontent.com/spring-guides/getting-started-macros/main/build_an_executable_jar_with_both.adoc
As our Application
implements CommandLineRunner
, the run
method is invoked automatically when boot
starts. You should see something like this:
---------------------------------------- Configuration properties example.username is demouser example.password is demopassword ----------------------------------------
Now start your application with the cloud
profile activated. You should see something like this:
---------------------------------------- Configuration properties example.username is clouduser example.password is cloudpassword ----------------------------------------
Configuration properties are bound according to the activated profiles. Spring Cloud Vault constructs a Vault context path
from spring.application.name
which is gs-vault
and appends the profile name (cloud
) so enabling the cloud
profile
will fetch additionally configuration properties from secret/gs-vault-config/cloud
.
Congratulations! You set up a Vault server and wrote a simple application that uses Spring Vault to read secrets into configuration properties and encrypt data with a strong cipher — all without the headache of implementing key management, a cipher mode, and padding.