Skip to content

A Maven plugin that extracts secrets from Vault and populate Maven properties.

License

Notifications You must be signed in to change notification settings

gnl42/vault-maven-plugin

 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

11 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

vault-maven-plugin

This Maven plugin supports pull and pushing Maven project properties from secrets stored in HashiCorp Vault.

Usage

To include the vault-maven-plugin in your project add the following plugin to your pom.xml file:

<build>
    <plugins>
        <plugin>
            <groupId>com.deciphernow</groupId>
            <artifactId>vault-maven-plugin</artifactId>
            <version>1.0.0-SNAPSHOT</version>
        </plugin>
    </plugins>
</build>

Pulling Secrets

In order to pull secrets you must add an execution to the plugin. The following execution will pull secrets from secret/user path on the Vault server https://vault.example.com. In particular, this configuration will set the value of the ${project.password} and ${project.username} Maven properties to the secrets ${vault.password} and ${vault.username} respectively.

<build>
    <plugins>
        <plugin>
            <groupId>com.deciphernow</groupId>
            <artifactId>vault-maven-plugin</artifactId>
            <version>1.0.0-SNAPSHOT</version>
            <executions>
                <execution>
                    <id>pull</id>
                    <phase>initialize</phase>
                    <goals>
                        <goal>pull</goal>
                    </goals>
                    <configuration>
                        <servers>
                            <server>
                                <url>https://vault.example.com</url>
                                <token>bf6ba314-47f1-4b9d-ab87-2b8e53fc640f</token>
                                <paths>
                                    <path>
                                        <name>secret/user</name>
                                        <mappings>
                                            <mapping>
                                                <key>vault.password</key>
                                                <property>project.password</property>
                                            </mapping>
                                            <mapping>
                                                <key>vault.username</key>
                                                <property>project.username</property>
                                            </mapping>
                                        </mappings>
                                    </path>
                                </paths>
                            </server>
                        </servers>
                    </configuration>
                </execution>
            </executions>
        </plugin>
    </plugins>
</build>

Note that the execution will fail if a specified secret key does not exist and that an existing project property will be overwritten.

Pushing Secrets

In order to pull secrets you must add an execution to the plugin. The following execution will pull secrets from secret/user path on the Vault server https://vault.example.com. In particular, this configuration will set the value of the ${project.password} and ${project.username} Maven properties to the secrets ${vault.password} and ${vault.username} respectively.

<build>
    <plugins>
        <plugin>
            <groupId>com.deciphernow</groupId>
            <artifactId>vault-maven-plugin</artifactId>
            <version>1.0.0-SNAPSHOT</version>
            <executions>
                <execution>
                    <id>push</id>
                    <phase>verify</phase>
                    <goals>
                        <goal>push</goal>
                    </goals>
                    <configuration>
                        <servers>
                            <server>
                                <url>https://vault.example.com</url>
                                <token>bf6ba314-47f1-4b9d-ab87-2b8e53fc640f</token>
                                <paths>
                                    <path>
                                        <name>secret/user</name>
                                        <mappings>
                                            <mapping>
                                                <key>vault.password</key>
                                                <property>project.password</property>
                                            </mapping>
                                            <mapping>
                                                <key>vault.username</key>
                                                <property>project.username</property>
                                            </mapping>
                                        </mappings>
                                    </path>
                                </paths>
                            </server>
                        </servers>
                    </configuration>
                </execution>
            </executions>
        </plugin>
    </plugins>
</build>

Note that the execution will fail if a specified project property does not exist and that an existing secret value will be overwritten.

Building

This build uses standard Maven build commands but assumes that the following are installed and configured locally:

  1. Java (1.8 or greater)
  2. Maven (3.0 or greater)
  3. Docker

Contributing

  1. Fork it
  2. Create your feature branch (git checkout -b my-new-feature)
  3. Commit your changes (git commit -am 'Add some feature')
  4. Push to the branch (git push origin my-new-feature)
  5. Create new Pull Request

About

A Maven plugin that extracts secrets from Vault and populate Maven properties.

Resources

License

Stars

Watchers

Forks

Packages

No packages published

Languages

  • Java 100.0%