Package org.springframework.vault.config

Class EnvironmentVaultConfiguration

java.lang.Object

org.springframework.vault.config.AbstractVaultConfiguration

org.springframework.vault.config.EnvironmentVaultConfiguration

All Implemented Interfaces:

Aware, ApplicationContextAware

@Configuration
public class EnvironmentVaultConfiguration
extends AbstractVaultConfiguration
implements ApplicationContextAware

Configuration using Spring's Environment to configure Spring Vault endpoint, SSL options and authentication options. This configuration class uses predefined property keys and is usually imported as part of an existing Java-based configuration. Configuration is obtained from other, existing property sources.

Usage: Java-based configuration part:

     
 @Configuration
 @Import(EnvironmentVaultConfiguration.class)
 public class MyConfiguration {
 }
      

Supplied properties:

     
 vault.uri=https://localhost:8200
 vault.token=00000000-0000-0000-0000-000000000000
      

Property keys

Authentication-specific properties must be provided depending on the authentication method.

• Vault URI: vault.uri
• SSL Configuration
  • Keystore resource: vault.ssl.key-store (optional)
  • Keystore password: vault.ssl.key-store-password (optional)
  • Keystore type: vault.ssl.key-store-type (since 2.3, optional)
  • Truststore resource: vault.ssl.trust-store (optional)
  • Truststore password: vault.ssl.trust-store-password (optional)
  • Truststore type: vault.ssl.trust-store-password (since 2.3, optional)
  • Enabled SSL/TLS protocols: vault.ssl.enabled-protocols (since 2.3.2, optional, protocols separated with comma)
  • Enabled SSL/TLS cipher suites: vault.ssl.enabled-cipher-suites (since 2.3.2, optional, cipher suites separated with comma)
• Authentication method: vault.authentication (defaults to TOKEN, supported authentication methods are: TOKEN, APPID, APPROLE, AWS_EC2, AWS_IAM, AZURE, CERT, CUBBYHOLE, KUBERNETES, see EnvironmentVaultConfiguration.AuthenticationMethod)
• Token authentication
  • Vault Token: vault.token
• AppId authentication
  • AppId path: vault.app-id.app-id-path (since 2.2.1, defaults to AppIdAuthenticationOptions.DEFAULT_APPID_AUTHENTICATION_PATH)
  • AppId: vault.app-id.app-id
  • UserId: vault.app-id.user-id. MAC_ADDRESS and IP_ADDRESS use MacAddressUserId, respective IpAddressUserId. Any other value is used with StaticUserId.
• AppRole authentication
  • AppRole path: vault.app-role.app-role-path (since 2.2.1, defaults to AppRoleAuthenticationOptions.DEFAULT_APPROLE_AUTHENTICATION_PATH)
  • RoleId: vault.app-role.role-id
  • SecretId: vault.app-role.secret-id (optional)
• AWS EC2 authentication
  • AWS EC2 path: vault.aws-ec2.aws-ec2-path (since 2.2.1, defaults to AwsEc2AuthenticationOptions.DEFAULT_AWS_AUTHENTICATION_PATH)
  • Role: vault.aws-ec2.role (since 2.2.1)
  • RoleId: vault.aws-ec2.role-id (deprecated since 2.2.1: use vault.aws-ec2.role instead)
  • Identity Document URL: vault.aws-ec2.identity-document (defaults to AwsEc2AuthenticationOptions.DEFAULT_PKCS7_IDENTITY_DOCUMENT_URI)
• AWS IAM authentication
  • Role: vault.aws-iam.role (since 3.0.2)
• Azure MSI authentication
  • Azure MSI path: vault.azure-msi.azure-path (since 2.2.1, defaults to AzureMsiAuthenticationOptions.DEFAULT_AZURE_AUTHENTICATION_PATH)
  • Role: vault.azure-msi.role
  • MetadataServiceUri: vault.azure-msi.metadata-service (defaults to AzureMsiAuthenticationOptions.DEFAULT_INSTANCE_METADATA_SERVICE_URI)
  • IdentityTokenServiceUri: vault.azure-msi.identity-token-service (defaults to AzureMsiAuthenticationOptions.DEFAULT_IDENTITY_TOKEN_SERVICE_URI)
• Client Certificate authentication
  • (no configuration options)
• Cubbyhole authentication
  • Initial Vault Token: vault.token
• Kubernetes authentication
  • Kubernetes path: vault.kubernetes.kubernetes-path (since 2.2.1, defaults to KubernetesAuthenticationOptions.DEFAULT_KUBERNETES_AUTHENTICATION_PATH)
  • Role: vault.kubernetes.role
  • Path to service account token file: vault.kubernetes.service-account-token-file (defaults to KubernetesServiceAccountTokenFile.DEFAULT_KUBERNETES_SERVICE_ACCOUNT_TOKEN_FILE)

Author:

Mark Paluch, Michal Budzyn, Raoof Mohammed, Justin Bertrand, Ryan Gow, Nick Tan

See Also:

• Environment
• PropertySource
• VaultEndpoint
• AppIdAuthentication
• AppRoleAuthentication
• AwsEc2Authentication
• AwsIamAuthentication
• AzureMsiAuthentication
• ClientCertificateAuthentication
• CubbyholeAuthentication
• KubernetesAuthentication

Nested Class Summary

Nested classes/interfaces inherited from class org.springframework.vault.config.AbstractVaultConfiguration

AbstractVaultConfiguration.ClientFactoryWrapper, AbstractVaultConfiguration.TaskSchedulerWrapper

Constructor Summary

Constructors

Constructor	Description
EnvironmentVaultConfiguration()

Method Summary

Modifier and Type	Method	Description
protected ClientAuthentication	appIdAuthentication()
protected ClientAuthentication	appRoleAuthentication()
protected ClientAuthentication	awsEc2Authentication()
protected ClientAuthentication	awsIamAuthentication()
protected ClientAuthentication	azureMsiAuthentication()
ClientAuthentication	clientAuthentication()	Annotate with Bean in case you want to expose a ClientAuthentication instance to the ApplicationContext.
protected ClientAuthentication	cubbyholeAuthentication()
protected AppIdUserIdMechanism	getAppIdUserIdMechanism(String userId)
protected ClientAuthentication	kubeAuthentication()
RestOperations	restOperations()	Construct a RestOperations object configured for Vault session management and authentication usage.
void	setApplicationContext(ApplicationContext applicationContext)
SslConfiguration	sslConfiguration()
protected ClientAuthentication	tokenAuthentication()
VaultEndpoint	vaultEndpoint()

Methods inherited from class org.springframework.vault.config.AbstractVaultConfiguration

clientHttpRequestFactoryWrapper, clientOptions, getBeanFactory, getEnvironment, getRestTemplateFactory, getVaultThreadPoolTaskScheduler, restTemplateBuilder, restTemplateFactory, secretLeaseContainer, sessionManager, threadPoolTaskScheduler, vaultEndpointProvider, vaultTemplate

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Details

EnvironmentVaultConfiguration

public EnvironmentVaultConfiguration()

Method Details

restOperations

public RestOperations restOperations()

Description copied from class: AbstractVaultConfiguration

Construct a RestOperations object configured for Vault session management and authentication usage. Can be customized by providing a RestTemplateFactory bean.

Overrides:

restOperations in class AbstractVaultConfiguration

Returns:

the RestOperations to be used for Vault access.

See Also:

• AbstractVaultConfiguration.restTemplateFactory(ClientFactoryWrapper)

setApplicationContext

public void setApplicationContext(ApplicationContext applicationContext)
                           throws BeansException

Specified by:

setApplicationContext in interface ApplicationContextAware

Overrides:

setApplicationContext in class AbstractVaultConfiguration

Throws:

BeansException

vaultEndpoint

public VaultEndpoint vaultEndpoint()

Specified by:

vaultEndpoint in class AbstractVaultConfiguration

Returns:

Vault endpoint coordinates for HTTP/HTTPS communication, must not be null.

sslConfiguration

public SslConfiguration sslConfiguration()

Overrides:

sslConfiguration in class AbstractVaultConfiguration

Returns:

SSL configuration options. Defaults to SslConfiguration.unconfigured().

See Also:

• SslConfiguration
• SslConfiguration.unconfigured()

clientAuthentication

public ClientAuthentication clientAuthentication()

Description copied from class: AbstractVaultConfiguration

Annotate with Bean in case you want to expose a ClientAuthentication instance to the ApplicationContext.

Specified by:

clientAuthentication in class AbstractVaultConfiguration

Returns:

the ClientAuthentication to use. Must not be null.

tokenAuthentication

protected ClientAuthentication tokenAuthentication()

appIdAuthentication

protected ClientAuthentication appIdAuthentication()

appRoleAuthentication

protected ClientAuthentication appRoleAuthentication()

getAppIdUserIdMechanism

protected AppIdUserIdMechanism getAppIdUserIdMechanism(String userId)

awsEc2Authentication

protected ClientAuthentication awsEc2Authentication()

awsIamAuthentication

protected ClientAuthentication awsIamAuthentication()

azureMsiAuthentication

protected ClientAuthentication azureMsiAuthentication()

cubbyholeAuthentication

protected ClientAuthentication cubbyholeAuthentication()

kubeAuthentication

protected ClientAuthentication kubeAuthentication()