|
This version is still in development and is not considered stable yet. For the latest stable version, please use Spring Cloud Vault 4.1.3! |
Common application properties
Various properties can be specified inside your application.properties file, inside your application.yml file, or as command line switches.
This appendix provides a list of common Spring Cloud Vault properties and references to the underlying classes that consume them.
| Property contributions can come from additional jar files on your classpath, so you should not consider this an exhaustive list. Also, you can define your own properties. |
| Name | Default | Description |
|---|---|---|
spring.cloud.vault.app-id.app-id-path |
|
Mount path of the AppId authentication backend. |
spring.cloud.vault.app-id.network-interface |
Network interface hint for the "MAC_ADDRESS" UserId mechanism. |
|
spring.cloud.vault.app-id.user-id |
|
UserId mechanism. Can be either "MAC_ADDRESS", "IP_ADDRESS", a string or a class name. |
spring.cloud.vault.app-role.app-role-path |
|
Mount path of the AppRole authentication backend. |
spring.cloud.vault.app-role.role |
Name of the role, optional, used for pull-mode. |
|
spring.cloud.vault.app-role.role-id |
The RoleId. |
|
spring.cloud.vault.app-role.secret-id |
The SecretId. |
|
spring.cloud.vault.application-name |
|
Application name for AppId authentication. |
spring.cloud.vault.authentication |
|
|
spring.cloud.vault.aws-ec2.aws-ec2-path |
|
Mount path of the AWS-EC2 authentication backend. |
spring.cloud.vault.aws-ec2.identity-document |
|
URL of the AWS-EC2 PKCS7 identity document. |
spring.cloud.vault.aws-ec2.nonce |
Nonce used for AWS-EC2 authentication. An empty nonce defaults to nonce generation. |
|
spring.cloud.vault.aws-ec2.role |
Name of the role, optional. |
|
spring.cloud.vault.aws-iam.aws-path |
|
Mount path of the AWS authentication backend. |
spring.cloud.vault.aws-iam.endpoint-uri |
STS server URI. @since 2.2 |
|
spring.cloud.vault.aws-iam.region |
Name of the region, optional. Inferred by AWS defaults if not set. @since 4.0.1 |
|
spring.cloud.vault.aws-iam.role |
Name of the role, optional. Defaults to the friendly IAM name if not set. |
|
spring.cloud.vault.aws-iam.server-name |
Name of the server used to set {@code X-Vault-AWS-IAM-Server-ID} header in the headers of login requests. |
|
spring.cloud.vault.aws.access-key-property |
|
Target property for the obtained access key. |
spring.cloud.vault.aws.backend |
|
aws backend path. |
spring.cloud.vault.aws.credential-type |
|
aws credential type |
spring.cloud.vault.aws.enabled |
|
Enable aws backend usage. |
spring.cloud.vault.aws.role |
Role name for credentials. |
|
spring.cloud.vault.aws.role-arn |
Role arn for assumed_role in case we have multiple roles associated with the vault role. @since 3.0.2 |
|
spring.cloud.vault.aws.secret-key-property |
|
Target property for the obtained secret key. |
spring.cloud.vault.aws.session-token-key-property |
|
Target property for the obtained secret key. |
spring.cloud.vault.aws.ttl |
|
TTL for sts tokens. Defaults to whatever the vault Role may have for Max. Also limited to what AWS supports to be the max for STS. @since 3.0.2 |
spring.cloud.vault.azure-msi.azure-path |
|
Mount path of the Azure MSI authentication backend. |
spring.cloud.vault.azure-msi.identity-token-service |
Identity token service URI. @since 3.0 |
|
spring.cloud.vault.azure-msi.metadata-service |
Instance metadata service URI. @since 3.0 |
|
spring.cloud.vault.azure-msi.role |
Name of the role. |
|
spring.cloud.vault.cassandra.backend |
|
Cassandra backend path. |
spring.cloud.vault.cassandra.enabled |
|
Enable cassandra backend usage. |
spring.cloud.vault.cassandra.password-property |
|
Target property for the obtained password. |
spring.cloud.vault.cassandra.role |
Role name for credentials. |
|
spring.cloud.vault.cassandra.static-role |
|
Enable static role usage. @since 2.2 |
spring.cloud.vault.cassandra.username-property |
|
Target property for the obtained username. |
spring.cloud.vault.config.lifecycle.enabled |
|
Enable lifecycle management. |
spring.cloud.vault.config.lifecycle.expiry-threshold |
The expiry threshold. {@link Lease} is renewed the given {@link Duration} before it expires. @since 2.2 |
|
spring.cloud.vault.config.lifecycle.lease-endpoints |
Set the {@link LeaseEndpoints} to delegate renewal/revocation calls to. {@link LeaseEndpoints} encapsulates differences between Vault versions that affect the location of renewal/revocation endpoints. Can be {@link LeaseEndpoints#SysLeases} for version 0.8 or above of Vault or {@link LeaseEndpoints#Legacy} for older versions (the default). @since 2.2 |
|
spring.cloud.vault.config.lifecycle.lease-strategy |
Sets the {@link LeaseStrategy} to be used with {@link org.springframework.vault.core.lease.SecretLeaseContainer#setLeaseStrategy(LeaseStrategy)} to retain or drop tokens on renewal errors. @since 4.1 |
|
spring.cloud.vault.config.lifecycle.min-renewal |
The time period that is at least required before renewing a lease. @since 2.2 |
|
spring.cloud.vault.config.order |
|
Used to set a {@link org.springframework.core.env.PropertySource} priority. This is useful to use Vault as an override on other property sources. @see org.springframework.core.PriorityOrdered |
spring.cloud.vault.connection-timeout |
|
Connection timeout. |
spring.cloud.vault.consul.backend |
|
Consul backend path. |
spring.cloud.vault.consul.enabled |
|
Enable consul backend usage. |
spring.cloud.vault.consul.role |
Role name for credentials. |
|
spring.cloud.vault.consul.token-property |
|
Target property for the obtained token. |
spring.cloud.vault.couchbase.backend |
|
Couchbase backend path. |
spring.cloud.vault.couchbase.enabled |
|
Enable couchbase backend usage. |
spring.cloud.vault.couchbase.password-property |
|
Target property for the obtained password. |
spring.cloud.vault.couchbase.role |
Role name for credentials. |
|
spring.cloud.vault.couchbase.static-role |
|
Enable static role usage. |
spring.cloud.vault.couchbase.username-property |
|
Target property for the obtained username. |
spring.cloud.vault.database.backend |
|
Database backend path. |
spring.cloud.vault.database.enabled |
|
Enable database backend usage. |
spring.cloud.vault.database.password-property |
|
Target property for the obtained password. |
spring.cloud.vault.database.role |
Role name for credentials. |
|
spring.cloud.vault.database.static-role |
|
Enable static role usage. |
spring.cloud.vault.database.username-property |
|
Target property for the obtained username. |
spring.cloud.vault.databases |
||
spring.cloud.vault.discovery.enabled |
|
Flag to indicate that Vault server discovery is enabled (vault server URL will be looked up via discovery). |
spring.cloud.vault.discovery.service-id |
|
Service id to locate Vault. |
spring.cloud.vault.elasticsearch.backend |
|
Database backend path. |
spring.cloud.vault.elasticsearch.enabled |
|
Enable elasticsearch backend usage. |
spring.cloud.vault.elasticsearch.password-property |
|
Target property for the obtained password. |
spring.cloud.vault.elasticsearch.role |
Role name for credentials. |
|
spring.cloud.vault.elasticsearch.static-role |
|
Enable static role usage. |
spring.cloud.vault.elasticsearch.username-property |
|
Target property for the obtained username. |
spring.cloud.vault.enabled |
|
Enable Vault config server. |
spring.cloud.vault.fail-fast |
|
Fail fast if data cannot be obtained from Vault. |
spring.cloud.vault.gcp-gce.gcp-path |
|
Mount path of the Kubernetes authentication backend. |
spring.cloud.vault.gcp-gce.role |
Name of the role against which the login is being attempted. |
|
spring.cloud.vault.gcp-gce.service-account |
Optional service account id. Using the default id if left unconfigured. |
|
spring.cloud.vault.gcp-iam.credentials.encoded-key |
The base64 encoded contents of an OAuth2 account private key in JSON format. |
|
spring.cloud.vault.gcp-iam.credentials.location |
Location of the OAuth2 credentials private key. <p> Since this is a Resource, the private key can be in a multitude of locations, such as a local file system, classpath, URL, etc. |
|
spring.cloud.vault.gcp-iam.gcp-path |
|
Mount path of the Kubernetes authentication backend. |
spring.cloud.vault.gcp-iam.jwt-validity |
|
Validity of the JWT token. |
spring.cloud.vault.gcp-iam.project-id |
Overrides the GCP project Id. |
|
spring.cloud.vault.gcp-iam.role |
Name of the role against which the login is being attempted. |
|
spring.cloud.vault.gcp-iam.service-account-id |
Overrides the GCP service account Id. |
|
spring.cloud.vault.host |
|
Vault server host. |
spring.cloud.vault.kubernetes.kubernetes-path |
|
Mount path of the Kubernetes authentication backend. |
spring.cloud.vault.kubernetes.role |
Name of the role against which the login is being attempted. |
|
spring.cloud.vault.kubernetes.service-account-token-file |
|
Path to the service account token file. |
spring.cloud.vault.kv.application-name |
|
Application name to be used for the context. |
spring.cloud.vault.kv.backend |
|
Name of the default backend. |
spring.cloud.vault.kv.backend-version |
|
Key-Value backend version. Currently supported versions are: <ul> <li>Version 1 (unversioned key-value backend).</li> <li>Version 2 (versioned key-value backend).</li> </ul> |
spring.cloud.vault.kv.default-context |
|
Name of the default context. |
spring.cloud.vault.kv.enabled |
|
Enable the key-value backend. |
spring.cloud.vault.kv.profile-separator |
|
Profile-separator to combine application name and profile. |
spring.cloud.vault.kv.profiles |
List of active profiles. @since 3.0 |
|
spring.cloud.vault.mongodb.backend |
|
MongoDB backend path. |
spring.cloud.vault.mongodb.enabled |
|
Enable mongodb backend usage. |
spring.cloud.vault.mongodb.password-property |
|
Target property for the obtained password. |
spring.cloud.vault.mongodb.role |
Role name for credentials. |
|
spring.cloud.vault.mongodb.static-role |
|
Enable static role usage. @since 2.2 |
spring.cloud.vault.mongodb.username-property |
|
Target property for the obtained username. |
spring.cloud.vault.mysql.backend |
|
mysql backend path. |
spring.cloud.vault.mysql.enabled |
|
Enable mysql backend usage. |
spring.cloud.vault.mysql.password-property |
|
Target property for the obtained username. |
spring.cloud.vault.mysql.role |
Role name for credentials. |
|
spring.cloud.vault.mysql.username-property |
|
Target property for the obtained username. |
spring.cloud.vault.namespace |
Vault namespace (requires Vault Enterprise). |
|
spring.cloud.vault.pcf.instance-certificate |
Path to the instance certificate (PEM). Defaults to {@code CF_INSTANCE_CERT} env variable. |
|
spring.cloud.vault.pcf.instance-key |
Path to the instance key (PEM). Defaults to {@code CF_INSTANCE_KEY} env variable. |
|
spring.cloud.vault.pcf.pcf-path |
|
Mount path of the Kubernetes authentication backend. |
spring.cloud.vault.pcf.role |
Name of the role against which the login is being attempted. |
|
spring.cloud.vault.port |
|
Vault server port. |
spring.cloud.vault.postgresql.backend |
|
postgresql backend path. |
spring.cloud.vault.postgresql.enabled |
|
Enable postgresql backend usage. |
spring.cloud.vault.postgresql.password-property |
|
Target property for the obtained username. |
spring.cloud.vault.postgresql.role |
Role name for credentials. |
|
spring.cloud.vault.postgresql.username-property |
|
Target property for the obtained username. |
spring.cloud.vault.rabbitmq.backend |
|
rabbitmq backend path. |
spring.cloud.vault.rabbitmq.enabled |
|
Enable rabbitmq backend usage. |
spring.cloud.vault.rabbitmq.password-property |
|
Target property for the obtained password. |
spring.cloud.vault.rabbitmq.role |
Role name for credentials. |
|
spring.cloud.vault.rabbitmq.username-property |
|
Target property for the obtained username. |
spring.cloud.vault.reactive.enabled |
|
Flag to indicate that reactive discovery is enabled |
spring.cloud.vault.read-timeout |
|
Read timeout. |
spring.cloud.vault.scheme |
|
Protocol scheme. Can be either "http" or "https". |
spring.cloud.vault.session.lifecycle.enabled |
|
Enable session lifecycle management. |
spring.cloud.vault.session.lifecycle.expiry-threshold |
|
The expiry threshold for a {@link LoginToken}. The threshold represents a minimum TTL duration to consider a login token as valid. Tokens with a shorter TTL are considered expired and are not used anymore. Should be greater than {@code refreshBeforeExpiry} to prevent token expiry. |
spring.cloud.vault.session.lifecycle.refresh-before-expiry |
|
The time period that is at least required before renewing the {@link LoginToken}. |
spring.cloud.vault.ssl.cert-auth-path |
|
Mount path of the TLS cert authentication backend. |
spring.cloud.vault.ssl.enabled-cipher-suites |
List of enabled SSL/TLS cipher suites. @since 3.0.2 |
|
spring.cloud.vault.ssl.enabled-protocols |
List of enabled SSL/TLS protocol. @since 3.0.2 |
|
spring.cloud.vault.ssl.key-store |
Trust store that holds certificates and private keys. |
|
spring.cloud.vault.ssl.key-store-password |
Password used to access the key store. |
|
spring.cloud.vault.ssl.key-store-type |
Type of the key store. @since 3.0 |
|
spring.cloud.vault.ssl.trust-store |
Trust store that holds SSL certificates. |
|
spring.cloud.vault.ssl.trust-store-password |
Password used to access the trust store. |
|
spring.cloud.vault.ssl.trust-store-type |
Type of the trust store. @since 3.0 |
|
spring.cloud.vault.token |
Static vault token. Required if {@link #authentication} is {@code TOKEN}. |
|
spring.cloud.vault.uri |
Vault URI. Can be set with scheme, host and port. |
