Package org.springframework.vault.core

Interface VaultOperations

All Known Implementing Classes:
VaultTemplate
public interface VaultOperations
Central entrypoint for performing Vault operations on a reactive runtime.

Implemented by VaultTemplate, this interface exposes reactive APIs for interacting with Vault backends such as Key/Value, Transit and sys. It supports callback-style execution for both authenticated doWithSession and unauthenticated doWithVault access.

Paths used with this and other Template API interfaces are typically relative to the VaultEndpoint of the underlying VaultClient. If the client is configured without an endpoint, fully-qualified URIs can be used.

Note that operations apply authentication and other headers regardless of using relative or absolute URIs. To prevent unwanted access to external endpoints using authentication headers, applications should sanitize paths to avoid unwanted access to external endpoints.

Author:
Mark Paluch, Lauren Voswinkel
See Also:

  • Method Details

    • opsForKeyValue

      VaultKeyValueOperations opsForKeyValue(String path)
      Return VaultKeyValueOperations and determine the version by querying Vault. Paths used with this method must be relative to the given mount path.
      Parameters:
      path - the mount path, must not be empty or null.
      Returns:
      the operations interface to interact with the Vault Key/Value secrets engine.
      Since:
      4.1

    • opsForKeyValue

      VaultKeyValueOperations opsForKeyValue(String path, VaultKeyValueOperationsSupport.KeyValueBackend apiVersion)
      Return VaultKeyValueOperations. Paths used with this method must be relative to the given mount path.
      Parameters:
      path - the mount path, must not be empty or null.
      apiVersion - API version to use, must not be null.
      Returns:
      the operations interface to interact with the Vault Key/Value secrets engine.
      Since:
      2.1

    • opsForVersionedKeyValue

      VaultVersionedKeyValueOperations opsForVersionedKeyValue(String path)
      Return VaultVersionedKeyValueOperations.
      Parameters:
      path - the mount path
      Returns:
      the operations interface to interact with the versioned Vault Key/Value (version 2) secrets engine.
      Since:
      2.1

    • opsForPki

      VaultPkiOperations opsForPki()
      Returns:
      the operations interface to interact with the Vault PKI secrets engine.

    • opsForPki

      VaultPkiOperations opsForPki(String path)
      Return VaultPkiOperations if the PKI secrets engine is mounted on a different path than pki.
      Parameters:
      path - the mount path
      Returns:
      the operations interface to interact with the Vault PKI secrets engine.

    • opsForSys

      VaultSysOperations opsForSys()
      Returns:
      the operations interface administrative Vault access.

    • opsForToken

      VaultTokenOperations opsForToken()
      Returns:
      the operations interface to interact with Vault token.

    • opsForTransform

      VaultTransformOperations opsForTransform()
      Returns:
      the operations interface to interact with the Vault transform secrets engine.
      Since:
      2.3

    • opsForTransform

      VaultTransformOperations opsForTransform(String path)
      Return VaultTransformOperations if the transit secrets engine is mounted on a different path than transform.
      Parameters:
      path - the mount path
      Returns:
      the operations interface to interact with the Vault transform secrets engine.
      Since:
      2.3

    • opsForTransit

      VaultTransitOperations opsForTransit()
      Returns:
      the operations interface to interact with the Vault transit secrets engine.

    • opsForTransit

      VaultTransitOperations opsForTransit(String path)
      Return VaultTransitOperations if the transit secrets engine is mounted on a different path than transit.
      Parameters:
      path - the mount path
      Returns:
      the operations interface to interact with the Vault transit secrets engine.

    • opsForWrapping

      VaultWrappingOperations opsForWrapping()
      Returns:
      the operations interface to interact with the Vault system/wrapping endpoints.
      Since:
      2.1

    • read

      @Nullable VaultResponse read(String path)
      Read (GET) from a Vault path. Reading data using this method is suitable for API calls/secrets engines that do not require a request body.
      Parameters:
      path - must not be null.
      Returns:
      the data. May be null if the path does not exist.

    • readRequired

      default VaultResponse readRequired(String path) throws SecretNotFoundException
      Read (GET) from a Vault path. Reading data using this method is suitable for API calls/secrets engines that do not require a request body.
      Parameters:
      path - must not be null.
      Returns:
      the data.
      Throws:
      SecretNotFoundException - if the path does not exist.
      Since:
      4.0

    • read

      <T extends @Nullable Object> @Nullable VaultResponseSupport<T> read(String path, Class<T> responseType)
      Read (GET) from a secrets engine. Reading data using this method is suitable for secrets engines that do not require a request body.
      Parameters:
      path - must not be null.
      responseType - must not be null.
      Returns:
      the data. May be null if the path does not exist.

    • readRequired

      default <T> VaultResponseSupport<T> readRequired(String path, Class<T> responseType)
      Read (GET) from a secrets engine. Reading data using this method is suitable for secrets engines that do not require a request body.
      Parameters:
      path - must not be null.
      responseType - must not be null.
      Returns:
      the data.
      Throws:
      SecretNotFoundException - if the path does not exist.
      Since:
      4.0

    • list

      @Nullable List<String> list(String path)
      Enumerate keys from a Vault path.
      Parameters:
      path - must not be null.
      Returns:
      the data. May be null if the path does not exist.

    • write

      default @Nullable VaultResponse write(String path)
      Write (POST) to a Vault path.
      Parameters:
      path - must not be null.
      Returns:
      the response, may be null.
      Since:
      2.0

    • write

      @Nullable VaultResponse write(String path, @Nullable Object body)
      Write (POST) to a Vault path.
      Parameters:
      path - must not be null.
      body - the body, may be null if absent.
      Returns:
      the response, may be null.

    • invoke

      default VaultResponse invoke(String path, @Nullable Object body)
      Invoke an operation on a Vault path, typically a POST request along with an optional request body expecting a response.
      Parameters:
      path - must not be null.
      body - the body, may be null if absent.
      Returns:
      the response.
      Throws:
      IllegalStateException - if the operation returns without returning a response.
      Since:
      4.0

    • delete

      void delete(String path)
      Delete a path.
      Parameters:
      path - must not be null.

    • doWithVault

      <T extends @Nullable Object> T doWithVault(RestOperationsCallback<T> clientCallback) throws VaultException, RestClientException
      Executes a Vault RestOperationsCallback. Allows to interact with Vault using RestOperations without requiring a session.
      Parameters:
      clientCallback - the request.
      Returns:
      the RestOperationsCallback return value.
      Throws:
      VaultException - when a HttpStatusCodeException occurs.
      RestClientException - exceptions from RestOperations.

    • doWithSession

      <T extends @Nullable Object> T doWithSession(RestOperationsCallback<T> sessionCallback) throws VaultException, RestClientException
      Executes a Vault RestOperationsCallback. Allows to interact with Vault in an authenticated session. Operations without a session manager or ClientAuthentication do not attach a session token and behave like doWithVault(RestOperationsCallback).
      Parameters:
      sessionCallback - the request.
      Returns:
      the RestOperationsCallback return value.
      Throws:
      VaultException - when a HttpStatusCodeException occurs.
      RestClientException - exceptions from RestOperations.