Package org.springframework.vault.core
Class VaultTemplate
java.lang.Object
org.springframework.vault.core.VaultTemplate
- All Implemented Interfaces:
DisposableBean,InitializingBean,VaultOperations
public class VaultTemplate
extends Object
implements InitializingBean, VaultOperations, DisposableBean
This class encapsulates main Vault interaction.
VaultTemplate will
log into Vault on initialization and use the token throughout the whole
lifetime. This is the main entry point to interact with Vault in an
authenticated and unauthenticated context.
VaultTemplate allows execution of callback methods. Callbacks can
execute requests within a session context and the without
a session.
Paths used in this interface (and interfaces accessible from here) are
considered relative to the VaultEndpoint. Paths that are
fully-qualified URI's can be used to access Vault cluster members in an
authenticated context. To prevent unwanted full URI access, make sure to
sanitize paths before passing them to this interface.
- Author:
- Mark Paluch
- See Also:
-
Constructor Summary
ConstructorsConstructorDescriptionVaultTemplate(RestClientBuilder restClientBuilder) Create a newVaultTemplatethrough aRestClientBuilder.VaultTemplate(RestClientBuilder restClientBuilder, SessionManager sessionManager) VaultTemplate(RestTemplateBuilder restTemplateBuilder) Deprecated.VaultTemplate(RestTemplateBuilder restTemplateBuilder, SessionManager sessionManager) Deprecated.since 4.1 in favor of a revisedVaultClient-based constructor.VaultTemplate(VaultClient client) Create a newVaultTemplatewith aVaultClient.VaultTemplate(VaultClient client, ClientAuthentication clientAuthentication) VaultTemplate(VaultClient client, SessionManager sessionManager) VaultTemplate(VaultEndpoint vaultEndpoint) Create a newVaultTemplatewith aVaultEndpoint.VaultTemplate(VaultEndpointProvider endpointProvider, ClientHttpRequestFactory requestFactory) Deprecated.since 4.1 in favor of a revisedVaultClient-based constructor.VaultTemplate(VaultEndpointProvider endpointProvider, ClientHttpRequestFactory requestFactory, SessionManager sessionManager) Deprecated.since 4.1 in favor of a revisedVaultClient-based constructor.VaultTemplate(VaultEndpoint vaultEndpoint, ClientHttpRequestFactory clientHttpRequestFactory) Deprecated.since 4.1 in favor of a revisedVaultClient-based constructor.VaultTemplate(VaultEndpoint vaultEndpoint, ClientHttpRequestFactory clientHttpRequestFactory, SessionManager sessionManager) Deprecated.since 4.1 in favor of a revisedVaultClient-based constructor.VaultTemplate(VaultEndpoint vaultEndpoint, ClientAuthentication clientAuthentication) -
Method Summary
Modifier and TypeMethodDescriptionvoidvoidDelete a path.voiddestroy()protected RestClientdoCreateRestClient(VaultEndpointProvider endpointProvider, ClientHttpRequestFactory requestFactory) Deprecated.since 4.1, useVaultClientwith the appropriate constructor instead.protected RestTemplatedoCreateRestTemplate(VaultEndpointProvider endpointProvider, ClientHttpRequestFactory requestFactory) Deprecated.since 4.1, useVaultClientwith the appropriate constructor instead.protected RestClientdoCreateSessionClient(VaultEndpointProvider endpointProvider, ClientHttpRequestFactory requestFactory) Deprecated.since 4.1, useVaultClientwith the appropriate constructor instead.protected RestTemplatedoCreateSessionTemplate(VaultEndpointProvider endpointProvider, ClientHttpRequestFactory requestFactory) Deprecated.since 4.1, useVaultClientwith the appropriate constructor instead.<T extends @Nullable Object>
TdoWithSession(RestOperationsCallback<T> sessionCallback) Executes a VaultRestOperationsCallback.<T extends @Nullable Object>
TdoWithVault(RestOperationsCallback<T> clientCallback) Executes a VaultRestOperationsCallback.Enumerate keys from a Vault path.opsForKeyValue(String path) ReturnVaultKeyValueOperationsand determine theversionby querying Vault.opsForKeyValue(String path, VaultKeyValueOperationsSupport.KeyValueBackend apiVersion) ReturnVaultKeyValueOperations.ReturnVaultPkiOperationsif the PKI secrets engine is mounted on a different path thanpki.opsForTransform(String path) ReturnVaultTransformOperationsif the transit secrets engine is mounted on a different path thantransform.opsForTransit(String path) ReturnVaultTransitOperationsif the transit secrets engine is mounted on a different path thantransit.ReturnVaultVersionedKeyValueOperations.@Nullable VaultResponseRead (GET)from a Vault path.<T> @Nullable VaultResponseSupport<T>Read (GET)from a secrets engine.voidsetSessionManager(SessionManager sessionManager) Set theSessionManager.@Nullable VaultResponseWrite (POST)to a Vault path.Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, waitMethods inherited from interface org.springframework.vault.core.VaultOperations
invoke, readRequired, readRequired, write
-
Constructor Details
-
VaultTemplate
Create a newVaultTemplatewith aVaultEndpoint. This constructor does not use aClientAuthenticationmechanism. It is intended for usage with Vault Agent to inherit Vault Agent's authentication without using theauthentication token header.- Parameters:
vaultEndpoint- must not be null.- Since:
- 2.2.1
-
VaultTemplate
- Parameters:
vaultEndpoint- must not be null.clientAuthentication- must not be null.
-
VaultTemplate
Create a newVaultTemplatewith aVaultClient.- Parameters:
client- must not be null.- Since:
- 4.1
-
VaultTemplate
- Parameters:
client- must not be null.clientAuthentication- must not be null.- Since:
- 4.1
-
VaultTemplate
- Parameters:
client- must not be null.sessionManager- must not be null.- Since:
- 4.1
-
VaultTemplate
@Deprecated(since="4.1") public VaultTemplate(VaultEndpoint vaultEndpoint, ClientHttpRequestFactory clientHttpRequestFactory) Deprecated.since 4.1 in favor of a revisedVaultClient-based constructor.Create a newVaultTemplatewith aVaultEndpoint, andClientHttpRequestFactory. This constructor does not use aClientAuthenticationmechanism. It is intended for usage with Vault Agent to inherit Vault Agent's authentication without using theauthentication token header.- Parameters:
vaultEndpoint- must not be null.clientHttpRequestFactory- must not be null.- Since:
- 2.2.1
-
VaultTemplate
@Deprecated(since="4.1") public VaultTemplate(VaultEndpoint vaultEndpoint, ClientHttpRequestFactory clientHttpRequestFactory, SessionManager sessionManager) Deprecated.since 4.1 in favor of a revisedVaultClient-based constructor.- Parameters:
vaultEndpoint- must not be null.clientHttpRequestFactory- must not be null.sessionManager- must not be null.
-
VaultTemplate
@Deprecated(since="4.1") public VaultTemplate(VaultEndpointProvider endpointProvider, ClientHttpRequestFactory requestFactory) Deprecated.since 4.1 in favor of a revisedVaultClient-based constructor.Create a newVaultTemplatewith aVaultEndpointProvider,ClientHttpRequestFactoryandSessionManager. This constructor does not use aClientAuthenticationmechanism. It is intended for usage with Vault Agent to inherit Vault Agent's authentication without using theauthentication token header.- Parameters:
endpointProvider- must not be null.requestFactory- must not be null.- Since:
- 2.2.1
-
VaultTemplate
@Deprecated(since="4.1") public VaultTemplate(VaultEndpointProvider endpointProvider, ClientHttpRequestFactory requestFactory, SessionManager sessionManager) Deprecated.since 4.1 in favor of a revisedVaultClient-based constructor.Create a newVaultTemplatewith aVaultEndpointProvider,ClientHttpRequestFactoryandSessionManager.- Parameters:
endpointProvider- must not be null.requestFactory- must not be null.sessionManager- must not be null.- Since:
- 1.1
-
VaultTemplate
Deprecated.since 4.1 in favor of a revisedVaultClient-based constructor.Create a newVaultTemplatethrough aRestTemplateBuilder. This constructor does not use aClientAuthenticationmechanism. It is intended for usage with Vault Agent to inherit Vault Agent's authentication without using theauthentication token header.- Parameters:
restTemplateBuilder- must not be null.- Since:
- 2.2.1
-
VaultTemplate
Create a newVaultTemplatethrough aRestClientBuilder. This constructor does not use aClientAuthenticationmechanism. It is intended for usage with Vault Agent to inherit Vault Agent's authentication without using theauthentication token header.- Parameters:
restClientBuilder- must not be null.- Since:
- 4.0
-
VaultTemplate
@Deprecated(since="4.1") public VaultTemplate(RestTemplateBuilder restTemplateBuilder, SessionManager sessionManager) Deprecated.since 4.1 in favor of a revisedVaultClient-based constructor.- Parameters:
restTemplateBuilder- must not be null.sessionManager- must not be null.- Since:
- 2.2
-
VaultTemplate
- Parameters:
restClientBuilder- must not be null.sessionManager- must not be null.- Since:
- 4.0
-
-
Method Details
-
doCreateRestTemplate
@Deprecated(since="4.1") protected RestTemplate doCreateRestTemplate(VaultEndpointProvider endpointProvider, ClientHttpRequestFactory requestFactory) Deprecated.since 4.1, useVaultClientwith the appropriate constructor instead. Session-authentication will be performed through the VaultClient and no longer through a request interceptor.Create aRestTemplateto be used byVaultTemplatefor Vault communication givenVaultEndpointProviderandClientHttpRequestFactory.VaultEndpointProvideris used to contribute host and port details for relative URLs typically used by the Template API. Subclasses may override this method to customize theRestTemplate.- Parameters:
endpointProvider- must not be null.requestFactory- must not be null.- Returns:
- the
RestTemplateused for Vault communication. - Since:
- 2.1
-
doCreateRestClient
@Deprecated(since="4.1") protected RestClient doCreateRestClient(VaultEndpointProvider endpointProvider, ClientHttpRequestFactory requestFactory) Deprecated.since 4.1, useVaultClientwith the appropriate constructor instead. Session-authentication will be performed through the VaultClient and no longer through a request interceptor.Create aRestClientto be used byVaultTemplatefor Vault communication givenVaultEndpointProviderandClientHttpRequestFactory.VaultEndpointProvideris used to contribute host and port details for relative URLs typically used by the client API. Subclasses may override this method to customize theRestClient.- Parameters:
endpointProvider- must not be null.requestFactory- must not be null.- Returns:
- the
RestClientused for Vault communication. - Since:
- 4.0
-
doCreateSessionTemplate
@Deprecated(since="4.1") protected RestTemplate doCreateSessionTemplate(VaultEndpointProvider endpointProvider, ClientHttpRequestFactory requestFactory) Deprecated.since 4.1, useVaultClientwith the appropriate constructor instead. Session-authentication will be performed through the VaultClient and no longer through a request interceptor.Create a session-boundRestTemplateto be used byVaultTemplatefor Vault communication givenVaultEndpointProviderandClientHttpRequestFactoryfor calls that require an authenticated context.VaultEndpointProvideris used to contribute host and port details for relative URLs typically used by the Template API. Subclasses may override this method to customize theRestTemplate.- Parameters:
endpointProvider- must not be null.requestFactory- must not be null.- Returns:
- the
RestTemplateused for Vault communication. - Since:
- 2.1
-
doCreateSessionClient
protected RestClient doCreateSessionClient(VaultEndpointProvider endpointProvider, ClientHttpRequestFactory requestFactory) Deprecated.since 4.1, useVaultClientwith the appropriate constructor instead. Session-authentication will be performed through the VaultClient and no longer through a request interceptor.Create a session-boundRestClientto be used byVaultTemplatefor Vault communication givenVaultEndpointProviderandClientHttpRequestFactoryfor calls that require an authenticated context.VaultEndpointProvideris used to contribute host and port details for relative URLs typically used by the Template API. Subclasses may override this method to customize theRestClient.- Parameters:
endpointProvider- must not be null.requestFactory- must not be null.- Returns:
- the
RestClientused for Vault communication. - Since:
- 4.0
-
setSessionManager
Set theSessionManager.- Parameters:
sessionManager- must not be null.
-
afterPropertiesSet
public void afterPropertiesSet()- Specified by:
afterPropertiesSetin interfaceInitializingBean
-
destroy
- Specified by:
destroyin interfaceDisposableBean- Throws:
Exception
-
opsForKeyValue
Description copied from interface:VaultOperationsReturnVaultKeyValueOperationsand determine theversionby querying Vault. Paths used with this method must be relative to the given mountpath.- Specified by:
opsForKeyValuein interfaceVaultOperations- Parameters:
path- the mount path, must not be empty or null.- Returns:
- the operations interface to interact with the Vault Key/Value secrets engine.
-
opsForKeyValue
public VaultKeyValueOperations opsForKeyValue(String path, VaultKeyValueOperationsSupport.KeyValueBackend apiVersion) Description copied from interface:VaultOperationsReturnVaultKeyValueOperations. Paths used with this method must be relative to the given mountpath.- Specified by:
opsForKeyValuein interfaceVaultOperations- Parameters:
path- the mount path, must not be empty or null.apiVersion- API version to use, must not be null.- Returns:
- the operations interface to interact with the Vault Key/Value secrets engine.
-
opsForVersionedKeyValue
Description copied from interface:VaultOperationsReturnVaultVersionedKeyValueOperations.- Specified by:
opsForVersionedKeyValuein interfaceVaultOperations- Parameters:
path- the mount path- Returns:
- the operations interface to interact with the versioned Vault Key/Value (version 2) secrets engine.
-
opsForPki
- Specified by:
opsForPkiin interfaceVaultOperations- Returns:
- the operations interface to interact with the Vault PKI secrets engine.
-
opsForPki
Description copied from interface:VaultOperationsReturnVaultPkiOperationsif the PKI secrets engine is mounted on a different path thanpki.- Specified by:
opsForPkiin interfaceVaultOperations- Parameters:
path- the mount path- Returns:
- the operations interface to interact with the Vault PKI secrets engine.
-
opsForSys
- Specified by:
opsForSysin interfaceVaultOperations- Returns:
- the operations interface administrative Vault access.
-
opsForToken
- Specified by:
opsForTokenin interfaceVaultOperations- Returns:
- the operations interface to interact with Vault token.
-
opsForTransform
- Specified by:
opsForTransformin interfaceVaultOperations- Returns:
- the operations interface to interact with the Vault transform secrets engine.
-
opsForTransform
Description copied from interface:VaultOperationsReturnVaultTransformOperationsif the transit secrets engine is mounted on a different path thantransform.- Specified by:
opsForTransformin interfaceVaultOperations- Parameters:
path- the mount path- Returns:
- the operations interface to interact with the Vault transform secrets engine.
-
opsForTransit
- Specified by:
opsForTransitin interfaceVaultOperations- Returns:
- the operations interface to interact with the Vault transit secrets engine.
-
opsForTransit
Description copied from interface:VaultOperationsReturnVaultTransitOperationsif the transit secrets engine is mounted on a different path thantransit.- Specified by:
opsForTransitin interfaceVaultOperations- Parameters:
path- the mount path- Returns:
- the operations interface to interact with the Vault transit secrets engine.
-
opsForWrapping
- Specified by:
opsForWrappingin interfaceVaultOperations- Returns:
- the operations interface to interact with the Vault system/wrapping endpoints.
-
read
Description copied from interface:VaultOperationsRead (GET)from a Vault path. Reading data using this method is suitable for API calls/secrets engines that do not require a request body.- Specified by:
readin interfaceVaultOperations- Parameters:
path- must not be null.- Returns:
- the data. May be null if the path does not exist.
-
read
Description copied from interface:VaultOperationsRead (GET)from a secrets engine. Reading data using this method is suitable for secrets engines that do not require a request body.- Specified by:
readin interfaceVaultOperations- Parameters:
path- must not be null.responseType- must not be null.- Returns:
- the data. May be null if the path does not exist.
-
list
Description copied from interface:VaultOperationsEnumerate keys from a Vault path.- Specified by:
listin interfaceVaultOperations- Parameters:
path- must not be null.- Returns:
- the data. May be null if the path does not exist.
-
write
Description copied from interface:VaultOperationsWrite (POST)to a Vault path.- Specified by:
writein interfaceVaultOperations- Parameters:
path- must not be null.body- the body, may be null if absent.- Returns:
- the response, may be null.
-
delete
Description copied from interface:VaultOperationsDelete a path.- Specified by:
deletein interfaceVaultOperations- Parameters:
path- must not be null.
-
doWithVault
Description copied from interface:VaultOperationsExecutes a VaultRestOperationsCallback. Allows to interact with Vault usingRestOperationswithout requiring a session.- Specified by:
doWithVaultin interfaceVaultOperations- Parameters:
clientCallback- the request.- Returns:
- the
RestOperationsCallbackreturn value.
-
doWithSession
Description copied from interface:VaultOperationsExecutes a VaultRestOperationsCallback. Allows to interact with Vault in an authenticated session. Operations without a session manager orClientAuthenticationdo not attach a session token and behave likeVaultOperations.doWithVault(RestOperationsCallback).- Specified by:
doWithSessionin interfaceVaultOperations- Parameters:
sessionCallback- the request.- Returns:
- the
RestOperationsCallbackreturn value.
-
VaultClient-based constructor.