This version is still in development and is not considered stable yet. For the latest stable version, please use Spring Cloud Vault 4.1.4! |
Common application properties
Various properties can be specified inside your application.properties
file, inside your application.yml
file, or as command line switches.
This appendix provides a list of common Spring Cloud Vault properties and references to the underlying classes that consume them.
Property contributions can come from additional jar files on your classpath, so you should not consider this an exhaustive list. Also, you can define your own properties. |
Name | Default | Description |
---|---|---|
spring.cloud.vault.app-id.app-id-path |
|
Mount path of the AppId authentication backend. |
spring.cloud.vault.app-id.network-interface |
Network interface hint for the "MAC_ADDRESS" UserId mechanism. |
|
spring.cloud.vault.app-id.user-id |
|
UserId mechanism. Can be either "MAC_ADDRESS", "IP_ADDRESS", a string or a class name. |
spring.cloud.vault.app-role.app-role-path |
|
Mount path of the AppRole authentication backend. |
spring.cloud.vault.app-role.role |
Name of the role, optional, used for pull-mode. |
|
spring.cloud.vault.app-role.role-id |
The RoleId. |
|
spring.cloud.vault.app-role.secret-id |
The SecretId. |
|
spring.cloud.vault.application-name |
|
Application name for AppId authentication. |
spring.cloud.vault.authentication |
|
|
spring.cloud.vault.aws-ec2.aws-ec2-path |
|
Mount path of the AWS-EC2 authentication backend. |
spring.cloud.vault.aws-ec2.identity-document |
|
URL of the AWS-EC2 PKCS7 identity document. |
spring.cloud.vault.aws-ec2.nonce |
Nonce used for AWS-EC2 authentication. An empty nonce defaults to nonce generation. |
|
spring.cloud.vault.aws-ec2.role |
Name of the role, optional. |
|
spring.cloud.vault.aws-iam.aws-path |
|
Mount path of the AWS authentication backend. |
spring.cloud.vault.aws-iam.endpoint-uri |
STS server URI. @since 2.2 |
|
spring.cloud.vault.aws-iam.region |
Name of the region, optional. Inferred by AWS defaults if not set. @since 4.0.1 |
|
spring.cloud.vault.aws-iam.role |
Name of the role, optional. Defaults to the friendly IAM name if not set. |
|
spring.cloud.vault.aws-iam.server-name |
Name of the server used to set {@code X-Vault-AWS-IAM-Server-ID} header in the headers of login requests. |
|
spring.cloud.vault.aws.access-key-property |
|
Target property for the obtained access key. |
spring.cloud.vault.aws.backend |
|
aws backend path. |
spring.cloud.vault.aws.credential-type |
|
aws credential type |
spring.cloud.vault.aws.enabled |
|
Enable aws backend usage. |
spring.cloud.vault.aws.role |
Role name for credentials. |
|
spring.cloud.vault.aws.role-arn |
Role arn for assumed_role in case we have multiple roles associated with the vault role. @since 3.0.2 |
|
spring.cloud.vault.aws.secret-key-property |
|
Target property for the obtained secret key. |
spring.cloud.vault.aws.session-token-key-property |
|
Target property for the obtained secret key. |
spring.cloud.vault.aws.ttl |
|
TTL for sts tokens. Defaults to whatever the vault Role may have for Max. Also limited to what AWS supports to be the max for STS. @since 3.0.2 |
spring.cloud.vault.azure-msi.azure-path |
|
Mount path of the Azure MSI authentication backend. |
spring.cloud.vault.azure-msi.identity-token-service |
Identity token service URI. @since 3.0 |
|
spring.cloud.vault.azure-msi.metadata-service |
Instance metadata service URI. @since 3.0 |
|
spring.cloud.vault.azure-msi.role |
Name of the role. |
|
spring.cloud.vault.cassandra.backend |
|
Cassandra backend path. |
spring.cloud.vault.cassandra.enabled |
|
Enable cassandra backend usage. |
spring.cloud.vault.cassandra.password-property |
|
Target property for the obtained password. |
spring.cloud.vault.cassandra.role |
Role name for credentials. |
|
spring.cloud.vault.cassandra.static-role |
|
Enable static role usage. @since 2.2 |
spring.cloud.vault.cassandra.username-property |
|
Target property for the obtained username. |
spring.cloud.vault.config.lifecycle.enabled |
|
Enable lifecycle management. |
spring.cloud.vault.config.lifecycle.expiry-threshold |
The expiry threshold. {@link Lease} is renewed the given {@link Duration} before it expires. @since 2.2 |
|
spring.cloud.vault.config.lifecycle.lease-endpoints |
Set the {@link LeaseEndpoints} to delegate renewal/revocation calls to. {@link LeaseEndpoints} encapsulates differences between Vault versions that affect the location of renewal/revocation endpoints. Can be {@link LeaseEndpoints#SysLeases} for version 0.8 or above of Vault or {@link LeaseEndpoints#Legacy} for older versions (the default). @since 2.2 |
|
spring.cloud.vault.config.lifecycle.lease-strategy |
Sets the {@link LeaseStrategy} to be used with {@link org.springframework.vault.core.lease.SecretLeaseContainer#setLeaseStrategy(LeaseStrategy)} to retain or drop tokens on renewal errors. @since 4.1 |
|
spring.cloud.vault.config.lifecycle.min-renewal |
The time period that is at least required before renewing a lease. @since 2.2 |
|
spring.cloud.vault.config.order |
|
Used to set a {@link org.springframework.core.env.PropertySource} priority. This is useful to use Vault as an override on other property sources. @see org.springframework.core.PriorityOrdered |
spring.cloud.vault.connection-timeout |
|
Connection timeout. |
spring.cloud.vault.consul.backend |
|
Consul backend path. |
spring.cloud.vault.consul.enabled |
|
Enable consul backend usage. |
spring.cloud.vault.consul.role |
Role name for credentials. |
|
spring.cloud.vault.consul.token-property |
|
Target property for the obtained token. |
spring.cloud.vault.couchbase.backend |
|
Couchbase backend path. |
spring.cloud.vault.couchbase.enabled |
|
Enable couchbase backend usage. |
spring.cloud.vault.couchbase.password-property |
|
Target property for the obtained password. |
spring.cloud.vault.couchbase.role |
Role name for credentials. |
|
spring.cloud.vault.couchbase.static-role |
|
Enable static role usage. |
spring.cloud.vault.couchbase.username-property |
|
Target property for the obtained username. |
spring.cloud.vault.database.backend |
|
Database backend path. |
spring.cloud.vault.database.enabled |
|
Enable database backend usage. |
spring.cloud.vault.database.password-property |
|
Target property for the obtained password. |
spring.cloud.vault.database.role |
Role name for credentials. |
|
spring.cloud.vault.database.static-role |
|
Enable static role usage. |
spring.cloud.vault.database.username-property |
|
Target property for the obtained username. |
spring.cloud.vault.databases |
||
spring.cloud.vault.discovery.enabled |
|
Flag to indicate that Vault server discovery is enabled (vault server URL will be looked up via discovery). |
spring.cloud.vault.discovery.service-id |
|
Service id to locate Vault. |
spring.cloud.vault.elasticsearch.backend |
|
Database backend path. |
spring.cloud.vault.elasticsearch.enabled |
|
Enable elasticsearch backend usage. |
spring.cloud.vault.elasticsearch.password-property |
|
Target property for the obtained password. |
spring.cloud.vault.elasticsearch.role |
Role name for credentials. |
|
spring.cloud.vault.elasticsearch.static-role |
|
Enable static role usage. |
spring.cloud.vault.elasticsearch.username-property |
|
Target property for the obtained username. |
spring.cloud.vault.enabled |
|
Enable Vault config server. |
spring.cloud.vault.fail-fast |
|
Fail fast if data cannot be obtained from Vault. |
spring.cloud.vault.gcp-gce.gcp-path |
|
Mount path of the Kubernetes authentication backend. |
spring.cloud.vault.gcp-gce.role |
Name of the role against which the login is being attempted. |
|
spring.cloud.vault.gcp-gce.service-account |
Optional service account id. Using the default id if left unconfigured. |
|
spring.cloud.vault.gcp-iam.credentials.encoded-key |
The base64 encoded contents of an OAuth2 account private key in JSON format. |
|
spring.cloud.vault.gcp-iam.credentials.location |
Location of the OAuth2 credentials private key. <p> Since this is a Resource, the private key can be in a multitude of locations, such as a local file system, classpath, URL, etc. |
|
spring.cloud.vault.gcp-iam.gcp-path |
|
Mount path of the Kubernetes authentication backend. |
spring.cloud.vault.gcp-iam.jwt-validity |
|
Validity of the JWT token. |
spring.cloud.vault.gcp-iam.project-id |
Overrides the GCP project Id. |
|
spring.cloud.vault.gcp-iam.role |
Name of the role against which the login is being attempted. |
|
spring.cloud.vault.gcp-iam.service-account-id |
Overrides the GCP service account Id. |
|
spring.cloud.vault.host |
|
Vault server host. |
spring.cloud.vault.kubernetes.kubernetes-path |
|
Mount path of the Kubernetes authentication backend. |
spring.cloud.vault.kubernetes.role |
Name of the role against which the login is being attempted. |
|
spring.cloud.vault.kubernetes.service-account-token-file |
|
Path to the service account token file. |
spring.cloud.vault.kv.application-name |
|
Application name to be used for the context. |
spring.cloud.vault.kv.backend |
|
Name of the default backend. |
spring.cloud.vault.kv.backend-version |
|
Key-Value backend version. Currently supported versions are: <ul> <li>Version 1 (unversioned key-value backend).</li> <li>Version 2 (versioned key-value backend).</li> </ul> |
spring.cloud.vault.kv.default-context |
|
Name of the default context. |
spring.cloud.vault.kv.enabled |
|
Enable the key-value backend. |
spring.cloud.vault.kv.profile-separator |
|
Profile-separator to combine application name and profile. |
spring.cloud.vault.kv.profiles |
List of active profiles. @since 3.0 |
|
spring.cloud.vault.mongodb.backend |
|
MongoDB backend path. |
spring.cloud.vault.mongodb.enabled |
|
Enable mongodb backend usage. |
spring.cloud.vault.mongodb.password-property |
|
Target property for the obtained password. |
spring.cloud.vault.mongodb.role |
Role name for credentials. |
|
spring.cloud.vault.mongodb.static-role |
|
Enable static role usage. @since 2.2 |
spring.cloud.vault.mongodb.username-property |
|
Target property for the obtained username. |
spring.cloud.vault.mysql.backend |
|
mysql backend path. |
spring.cloud.vault.mysql.enabled |
|
Enable mysql backend usage. |
spring.cloud.vault.mysql.password-property |
|
Target property for the obtained username. |
spring.cloud.vault.mysql.role |
Role name for credentials. |
|
spring.cloud.vault.mysql.username-property |
|
Target property for the obtained username. |
spring.cloud.vault.namespace |
Vault namespace (requires Vault Enterprise). |
|
spring.cloud.vault.pcf.instance-certificate |
Path to the instance certificate (PEM). Defaults to {@code CF_INSTANCE_CERT} env variable. |
|
spring.cloud.vault.pcf.instance-key |
Path to the instance key (PEM). Defaults to {@code CF_INSTANCE_KEY} env variable. |
|
spring.cloud.vault.pcf.pcf-path |
|
Mount path of the Kubernetes authentication backend. |
spring.cloud.vault.pcf.role |
Name of the role against which the login is being attempted. |
|
spring.cloud.vault.port |
|
Vault server port. |
spring.cloud.vault.postgresql.backend |
|
postgresql backend path. |
spring.cloud.vault.postgresql.enabled |
|
Enable postgresql backend usage. |
spring.cloud.vault.postgresql.password-property |
|
Target property for the obtained username. |
spring.cloud.vault.postgresql.role |
Role name for credentials. |
|
spring.cloud.vault.postgresql.username-property |
|
Target property for the obtained username. |
spring.cloud.vault.rabbitmq.backend |
|
rabbitmq backend path. |
spring.cloud.vault.rabbitmq.enabled |
|
Enable rabbitmq backend usage. |
spring.cloud.vault.rabbitmq.password-property |
|
Target property for the obtained password. |
spring.cloud.vault.rabbitmq.role |
Role name for credentials. |
|
spring.cloud.vault.rabbitmq.username-property |
|
Target property for the obtained username. |
spring.cloud.vault.reactive.enabled |
|
Flag to indicate that reactive discovery is enabled |
spring.cloud.vault.read-timeout |
|
Read timeout. |
spring.cloud.vault.scheme |
|
Protocol scheme. Can be either "http" or "https". |
spring.cloud.vault.session.lifecycle.enabled |
|
Enable session lifecycle management. |
spring.cloud.vault.session.lifecycle.expiry-threshold |
|
The expiry threshold for a {@link LoginToken}. The threshold represents a minimum TTL duration to consider a login token as valid. Tokens with a shorter TTL are considered expired and are not used anymore. Should be greater than {@code refreshBeforeExpiry} to prevent token expiry. |
spring.cloud.vault.session.lifecycle.refresh-before-expiry |
|
The time period that is at least required before renewing the {@link LoginToken}. |
spring.cloud.vault.ssl.cert-auth-path |
|
Mount path of the TLS cert authentication backend. |
spring.cloud.vault.ssl.enabled-cipher-suites |
List of enabled SSL/TLS cipher suites. @since 3.0.2 |
|
spring.cloud.vault.ssl.enabled-protocols |
List of enabled SSL/TLS protocol. @since 3.0.2 |
|
spring.cloud.vault.ssl.key-store |
Trust store that holds certificates and private keys. |
|
spring.cloud.vault.ssl.key-store-password |
Password used to access the key store. |
|
spring.cloud.vault.ssl.key-store-type |
Type of the key store. @since 3.0 |
|
spring.cloud.vault.ssl.trust-store |
Trust store that holds SSL certificates. |
|
spring.cloud.vault.ssl.trust-store-password |
Password used to access the trust store. |
|
spring.cloud.vault.ssl.trust-store-type |
Type of the trust store. @since 3.0 |
|
spring.cloud.vault.token |
Static vault token. Required if {@link #authentication} is {@code TOKEN}. |
|
spring.cloud.vault.uri |
Vault URI. Can be set with scheme, host and port. |