Secret Backends

Key-Value Backend

Spring Cloud Vault supports both Key-Value secret backends, the versioned (v2) and unversioned (v1). The key-value backend allows storage of arbitrary values as key-value store. A single context can store one or many key-value tuples. Contexts can be organized hierarchically. Spring Cloud Vault determines itself whether a secret is using versioning and maps the path to its appropriate URL. Spring Cloud Vault allows using the Application name, and a default context name (application) in combination with active profiles.

/secret/{application}/{profile}
/secret/{application}
/secret/{default-context}/{profile}
/secret/{default-context}

The application name is determined by the properties:

spring.cloud.vault.kv.application-name
spring.cloud.vault.application-name
spring.application.name

The profiles are determined by the properties:

spring.cloud.vault.kv.profiles
spring.profiles.active

Secrets can be obtained from other contexts within the key-value backend by adding their paths to the application name, separated by commas. For example, given the application name usefulapp,mysql1,projectx/aws, each of these folders will be used:

/secret/usefulapp
/secret/mysql1
/secret/projectx/aws

Spring Cloud Vault adds all active profiles to the list of possible context paths. No active profiles will skip accessing contexts with a profile name.

Properties are exposed like they are stored (i.e. without additional prefixes).

Spring Cloud Vault adds the data/ context between the mount path and the actual context path depending on whether the mount uses the versioned key-value backend.

spring.cloud.vault:
    kv:
        enabled: true
        backend: secret
        profile-separator: '/'
        default-context: application
        application-name: my-app
        profiles: local, cloud

enabled setting this value to false disables the secret backend config usage
backend sets the path of the secret mount to use
default-context sets the context name used by all applications
application-name overrides the application name for use in the key-value backend
profiles overrides the active profiles for use in the key-value backend
profile-separator separates the profile name from the context in property sources with profiles

The key-value secret backend can be operated in versioned (v2) and non-versioned (v1) modes.

Consul

Spring Cloud Vault can obtain credentials for HashiCorp Consul. The Consul integration requires the spring-cloud-vault-config-consul dependency.

pom.xml

<dependencies>
    <dependency>
        <groupId>org.springframework.cloud</groupId>
        <artifactId>spring-cloud-vault-config-consul</artifactId>
        <version>4.1.3</version>
    </dependency>
</dependencies>

The integration can be enabled by setting spring.cloud.vault.consul.enabled=true (default false) and providing the role name with spring.cloud.vault.consul.role=….

The obtained token is stored in spring.cloud.consul.token so using Spring Cloud Consul can pick up the generated credentials without further configuration. You can configure the property name by setting spring.cloud.vault.consul.token-property.

spring.cloud.vault:
    consul:
        enabled: true
        role: readonly
        backend: consul
        token-property: spring.cloud.consul.token

enabled setting this value to true enables the Consul backend config usage
role sets the role name of the Consul role definition
backend sets the path of the Consul mount to use
token-property sets the property name in which the Consul ACL token is stored

RabbitMQ

Spring Cloud Vault can obtain credentials for RabbitMQ.

The RabbitMQ integration requires the spring-cloud-vault-config-rabbitmq dependency.

pom.xml

<dependencies>
    <dependency>
        <groupId>org.springframework.cloud</groupId>
        <artifactId>spring-cloud-vault-config-rabbitmq</artifactId>
        <version>4.1.3</version>
    </dependency>
</dependencies>

The integration can be enabled by setting spring.cloud.vault.rabbitmq.enabled=true (default false) and providing the role name with spring.cloud.vault.rabbitmq.role=….

Username and password are stored in spring.rabbitmq.username and spring.rabbitmq.password so using Spring Boot will pick up the generated credentials without further configuration. You can configure the property names by setting spring.cloud.vault.rabbitmq.username-property and spring.cloud.vault.rabbitmq.password-property.

spring.cloud.vault:
    rabbitmq:
        enabled: true
        role: readonly
        backend: rabbitmq
        username-property: spring.rabbitmq.username
        password-property: spring.rabbitmq.password

enabled setting this value to true enables the RabbitMQ backend config usage
role sets the role name of the RabbitMQ role definition
backend sets the path of the RabbitMQ mount to use
username-property sets the property name in which the RabbitMQ username is stored
password-property sets the property name in which the RabbitMQ password is stored

AWS

Spring Cloud Vault can obtain credentials for AWS.

The AWS integration requires the spring-cloud-vault-config-aws dependency.

pom.xml

<dependencies>
    <dependency>
        <groupId>org.springframework.cloud</groupId>
        <artifactId>spring-cloud-vault-config-aws</artifactId>
        <version>4.1.3</version>
    </dependency>
</dependencies>

The integration can be enabled by setting spring.cloud.vault.aws=true (default false) and providing the role name with spring.cloud.vault.aws.role=….

Supported AWS credential Types:

iam_user (Defaults)
assumed_role (STS)
federation_token (STS)

The access key and secret key are stored in cloud.aws.credentials.accessKey and cloud.aws.credentials.secretKey. So using Spring Cloud AWS will pick up the generated credentials without further configuration.

You can configure the property names by setting spring.cloud.vault.aws.access-key-property and spring.cloud.vault.aws.secret-key-property.

For STS security token, you can configure the property name by setting spring.cloud.vault.aws.session-token-key-property. The security token is stored under cloud.aws.credentials.sessionToken (defaults).

Example: iam_user

spring.cloud.vault:
    aws:
        enabled: true
        role: readonly
        backend: aws
        access-key-property: cloud.aws.credentials.accessKey
        secret-key-property: cloud.aws.credentials.secretKey

Example: assumed_role (STS)

spring.cloud.vault:
    aws:
        enabled: true
        role: sts-vault-role
        backend: aws
        credential-type: assumed_role
        access-key-property: cloud.aws.credentials.accessKey
        secret-key-property: cloud.aws.credentials.secretKey
        session-token-key-property: cloud.aws.credentials.sessionToken
        ttl: 3600s
        role-arn: arn:aws:iam::${AWS_ACCOUNT}:role/sts-app-role

enabled setting this value to true enables the AWS backend config usage
role sets the role name of the AWS role definition
backend sets the path of the AWS mount to use
access-key-property sets the property name in which the AWS access key is stored
secret-key-property sets the property name in which the AWS secret key is stored
session-token-key-property sets the property name in which the AWS STS security token is stored.
credential-type sets the aws credential type to use for this backend. Defaults to iam_user
ttl sets the ttl for the STS token when using assumed_role or federation_token. Defaults to the ttl specified by the vault role. Min/Max values are also limited to what AWS would support for STS.
role-arn sets the IAM role to assume if more than one are configured for the vault role when using assumed_role.

Database backends

Vault supports several database secret backends to generate database credentials dynamically based on configured roles. This means services that need to access a database no longer need to configure credentials: they can request them from Vault, and use Vault’s leasing mechanism to more easily roll keys.

Spring Cloud Vault integrates with these backends:

Database
Apache Cassandra
Couchbase Database
Elasticsearch
MongoDB
MySQL
PostgreSQL

Using a database secret backend requires to enable the backend in the configuration and the spring-cloud-vault-config-databases dependency.

Vault ships since 0.7.1 with a dedicated database secret backend that allows database integration via plugins. You can use that specific backend by using the generic database backend. Make sure to specify the appropriate backend path, e.g. spring.cloud.vault.mysql.role.backend=database.

pom.xml

<dependencies>
    <dependency>
        <groupId>org.springframework.cloud</groupId>
        <artifactId>spring-cloud-vault-config-databases</artifactId>
        <version>4.1.3</version>
    </dependency>
</dependencies>

Enabling multiple JDBC-compliant databases will generate credentials and store them by default in the same property keys hence property names for JDBC secrets need to be configured separately.

Database

Spring Cloud Vault can obtain credentials for any database listed at www.vaultproject.io/api/secret/databases/index.html. The integration can be enabled by setting spring.cloud.vault.database.enabled=true (default false) and providing the role name with spring.cloud.vault.database.role=….

While the database backend is a generic one, spring.cloud.vault.database specifically targets JDBC databases. Username and password are available from spring.datasource.username and spring.datasource.password properties so using Spring Boot will pick up the generated credentials for your DataSource without further configuration. You can configure the property names by setting spring.cloud.vault.database.username-property and spring.cloud.vault.database.password-property.

spring.cloud.vault:
    database:
        enabled: true
        role: readonly
        backend: database
        username-property: spring.datasource.username
        password-property: spring.datasource.password

Multiple Databases

Sometimes, credentials for a single database isn’t sufficient because an application might connect to two or more databases of the same kind. Beginning with version 3.0.5, Spring Vault supports the configuration of multiple database secret backends under the spring.cloud.vault.databases.* namespace.

The configuration accepts multiple database backends to materialize credentials into the specified properties. Make sure to configure username-property and password-property appropriately.

spring.cloud.vault:
    databases:
        primary:
            enabled: true
            role: readwrite
            backend: database
            username-property: spring.primary-datasource.username
            password-property: spring.primary-datasource.password
        other-database:
            enabled: true
            role: readonly
            backend: database
            username-property: spring.secondary-datasource.username
            password-property: spring.secondary-datasource.password

<name> descriptive name of the database configuration.
<name>.enabled setting this value to true enables the Database backend config usage
<name>.role sets the role name of the Database role definition
<name>.backend sets the path of the Database mount to use
<name>.username-property sets the property name in which the Database username is stored. Make sure to use unique property names to avoid property shadowing.
<name>.password-property sets the property name in which the Database password is stored Make sure to use unique property names to avoid property shadowing.

Spring Cloud Vault does not support getting new credentials and configuring your DataSource with them when the maximum lease time has been reached. That is, if max_ttl of the Database role in Vault is set to 24h that means that 24 hours after your application has started it can no longer authenticate with the database.

Apache Cassandra

The cassandra backend has been deprecated in Vault 0.7.1 and it is recommended to use the database backend and mount it as cassandra.

Spring Cloud Vault can obtain credentials for Apache Cassandra. The integration can be enabled by setting spring.cloud.vault.cassandra.enabled=true (default false) and providing the role name with spring.cloud.vault.cassandra.role=….

Username and password are available from spring.data.cassandra.username and spring.data.cassandra.password properties so using Spring Boot will pick up the generated credentials without further configuration. You can configure the property names by setting spring.cloud.vault.cassandra.username-property and spring.cloud.vault.cassandra.password-property.

spring.cloud.vault:
    cassandra:
        enabled: true
        role: readonly
        backend: cassandra
        username-property: spring.data.cassandra.username
        password-property: spring.data.cassandra.password

enabled setting this value to true enables the Cassandra backend config usage
role sets the role name of the Cassandra role definition
backend sets the path of the Cassandra mount to use
username-property sets the property name in which the Cassandra username is stored
password-property sets the property name in which the Cassandra password is stored

Couchbase Database

Spring Cloud Vault can obtain credentials for Couchbase. The integration can be enabled by setting spring.cloud.vault.couchbase.enabled=true (default false) and providing the role name with spring.cloud.vault.couchbase.role=….

Username and password are available from spring.couchbase.username and spring.couchbase.password properties so using Spring Boot will pick up the generated credentials without further configuration. You can configure the property names by setting spring.cloud.vault.couchbase.username-property and spring.cloud.vault.couchbase.password-property.

spring.cloud.vault:
    couchbase:
        enabled: true
        role: readonly
        backend: database
        username-property: spring.couchbase.username
        password-property: spring.couchbase.password

enabled setting this value to true enables the Couchbase backend config usage
role sets the role name of the Couchbase role definition
backend sets the path of the Couchbase mount to use
username-property sets the property name in which the Couchbase username is stored
password-property sets the property name in which the Couchbase password is stored

Elasticsearch

Spring Cloud Vault can obtain since version 3.0 credentials for Elasticsearch. The integration can be enabled by setting spring.cloud.vault.elasticsearch.enabled=true (default false) and providing the role name with spring.cloud.vault.elasticsearch.role=….

Username and password are available from spring.elasticsearch.rest.username and spring.elasticsearch.rest.password properties so using Spring Boot will pick up the generated credentials without further configuration. You can configure the property names by setting spring.cloud.vault.elasticsearch.username-property and spring.cloud.vault.elasticsearch.password-property.

spring.cloud.vault:
    elasticsearch:
        enabled: true
        role: readonly
        backend: mongodb
        username-property: spring.elasticsearch.rest.username
        password-property: spring.elasticsearch.rest.password

enabled setting this value to true enables the Elasticsearch database backend config usage
role sets the role name of the Elasticsearch role definition
backend sets the path of the Elasticsearch mount to use
username-property sets the property name in which the Elasticsearch username is stored
password-property sets the property name in which the Elasticsearch password is stored

MongoDB

The mongodb backend has been deprecated in Vault 0.7.1 and it is recommended to use the database backend and mount it as mongodb.

Spring Cloud Vault can obtain credentials for MongoDB. The integration can be enabled by setting spring.cloud.vault.mongodb.enabled=true (default false) and providing the role name with spring.cloud.vault.mongodb.role=….

Username and password are stored in spring.data.mongodb.username and spring.data.mongodb.password so using Spring Boot will pick up the generated credentials without further configuration. You can configure the property names by setting spring.cloud.vault.mongodb.username-property and spring.cloud.vault.mongodb.password-property.

spring.cloud.vault:
    mongodb:
        enabled: true
        role: readonly
        backend: mongodb
        username-property: spring.data.mongodb.username
        password-property: spring.data.mongodb.password

enabled setting this value to true enables the MongodB backend config usage
role sets the role name of the MongoDB role definition
backend sets the path of the MongoDB mount to use
username-property sets the property name in which the MongoDB username is stored
password-property sets the property name in which the MongoDB password is stored

MySQL

The mysql backend has been deprecated in Vault 0.7.1 and it is recommended to use the database backend and mount it as mysql. Configuration for spring.cloud.vault.mysql will be removed in a future version.

Spring Cloud Vault can obtain credentials for MySQL. The integration can be enabled by setting spring.cloud.vault.mysql.enabled=true (default false) and providing the role name with spring.cloud.vault.mysql.role=….

Username and password are available from spring.datasource.username and spring.datasource.password properties so using Spring Boot will pick up the generated credentials without further configuration. You can configure the property names by setting spring.cloud.vault.mysql.username-property and spring.cloud.vault.mysql.password-property.

spring.cloud.vault:
    mysql:
        enabled: true
        role: readonly
        backend: mysql
        username-property: spring.datasource.username
        password-property: spring.datasource.password

enabled setting this value to true enables the MySQL backend config usage
role sets the role name of the MySQL role definition
backend sets the path of the MySQL mount to use
username-property sets the property name in which the MySQL username is stored
password-property sets the property name in which the MySQL password is stored

PostgreSQL

The postgresql backend has been deprecated in Vault 0.7.1 and it is recommended to use the database backend and mount it as postgresql. Configuration for spring.cloud.vault.postgresql will be removed in a future version.

Spring Cloud Vault can obtain credentials for PostgreSQL. The integration can be enabled by setting spring.cloud.vault.postgresql.enabled=true (default false) and providing the role name with spring.cloud.vault.postgresql.role=….

Username and password are available from spring.datasource.username and spring.datasource.password properties so using Spring Boot will pick up the generated credentials without further configuration. You can configure the property names by setting spring.cloud.vault.postgresql.username-property and spring.cloud.vault.postgresql.password-property.

spring.cloud.vault:
    postgresql:
        enabled: true
        role: readonly
        backend: postgresql
        username-property: spring.datasource.username
        password-property: spring.datasource.password

enabled setting this value to true enables the PostgreSQL backend config usage
role sets the role name of the PostgreSQL role definition
backend sets the path of the PostgreSQL mount to use
username-property sets the property name in which the PostgreSQL username is stored
password-property sets the property name in which the PostgreSQL password is stored

Customize which secret backends to expose as PropertySource

Spring Cloud Vault uses property-based configuration to create PropertySources for key-value and discovered secret backends.

Discovered backends provide VaultSecretBackendDescriptor beans to describe the configuration state to use secret backend as PropertySource. A SecretBackendMetadataFactory is required to create a SecretBackendMetadata object which contains path, name and property transformation configuration.

SecretBackendMetadata is used to back a particular PropertySource.

You can register a VaultConfigurer for customization. Default key-value and discovered backend registration is disabled if you provide a VaultConfigurer. You can however enable default registration with SecretBackendConfigurer.registerDefaultKeyValueSecretBackends() and SecretBackendConfigurer.registerDefaultDiscoveredSecretBackends().

public class CustomizationBean implements VaultConfigurer {

    @Override
    public void addSecretBackends(SecretBackendConfigurer configurer) {

        configurer.add("secret/my-application");

        configurer.registerDefaultKeyValueSecretBackends(false);
        configurer.registerDefaultDiscoveredSecretBackends(true);
    }
}

SpringApplication application = new SpringApplication(MyApplication.class);
application.addBootstrapper(VaultBootstrapper.fromConfigurer(new CustomizationBean()));

Custom Secret Backend Implementations

Spring Cloud Vault ships with secret backend support for the most common backend integrations. You can integrate with any kind of backend by providing an implementation that describes how to obtain data from the backend you want to use and how to surface data provided by that backend by providing a PropertyTransformer.

Adding a custom implementation for a backend requires implementation of two interfaces:

org.springframework.cloud.vault.config.VaultSecretBackendDescriptor
org.springframework.cloud.vault.config.SecretBackendMetadataFactory

VaultSecretBackendDescriptor is typically an object that holds configuration data, such as VaultDatabaseProperties. Spring Cloud Vault requires that your type is annotated with @ConfigurationProperties to materialize the class from the configuration.

SecretBackendMetadataFactory accepts VaultSecretBackendDescriptor to create the actual SecretBackendMetadata object which holds the context path within your Vault server, any path variables required to resolve parametrized context paths and PropertyTransformer.

Both, VaultSecretBackendDescriptor and SecretBackendMetadataFactory types must be registered in spring.factories which is an extension mechanism provided by Spring, similar to Java’s ServiceLoader.