This guide walks you through the process of using Spring Cloud Vault to build an application that retrieves its configuration properties from HashiCorp Vault.
You’ll start up Vault, store configuration properties inside Vault, build a Spring application and connect it with Vault.
You can use this pre-initialized project and click Generate to download a ZIP file. This project is configured to fit the examples in this tutorial.
To manually initialize the project:
-
Navigate to https://start.spring.io. This service pulls in all the dependencies you need for an application and does most of the setup for you.
-
Choose either Gradle or Maven and the language you want to use. This guide assumes that you chose Java.
-
Click Dependencies and select Vault Configuration
-
Click Generate.
-
Download the resulting ZIP file, which is an archive of an application that is configured with your choices.
|
Note
|
If your IDE has the Spring Initializr integration, you can complete this process from your IDE. |
An instance of HashiCorp Vault is required to complete this guide.
This guide uses Docker Compose to run a containerized version of HashiCorp Vault.
A compose.yaml file has been provided:
link:compose.yaml[role=include]Run the HashiCorp Vault container with the docker compose up command.
Vault is a secrets management system allowing you to store sensitive data which is encrypted at rest.
You need to access the Vault container to store the data. Connect to the running Docker container with the command:
docker exec -it guide-vault shYou are now running commands inside of the HashiCorp Vault container.
First, you need to set two environment variables to point the Vault CLI to the Vault endpoint and provide an authentication token.
export VAULT_TOKEN="00000000-0000-0000-0000-000000000000"
export VAULT_ADDR="http://127.0.0.1:8200"Now you can store configuration key-value pairs inside Vault. For this guide, you store two key-value pairs:
vault kv put secret/gs-vault-config example.username=demouser example.password=demopassword
vault kv put secret/gs-vault-config/cloud example.username=clouduser example.password=cloudpasswordNow you have written two entries in Vault secret/gs-vault-config and secret/gs-vault-config/cloud.
With the Vault container running and the data loaded, you are now ready to turn your attention to the Spring application.
Create a simple configuration for your Spring application:
src/main/java/hello/MyConfiguration.java
link:complete/src/main/java/hello/MyConfiguration.java[role=include]Here you configure your application with application.properties. The code below uses Spring Boot’s Config Data API which allows importing configuration from Vault.
src/main/resources/application.properties
link:complete/src/main/resources/application.properties[role=include]Here you create an Application class with all the components.
src/main/java/hello/Application.java
link:complete/src/main/java/hello/Application.java[role=include]Spring Cloud Vault uses VaultOperations to interact with Vault. Properties from Vault get mapped to
MyConfiguration for type-safe access. @EnableConfigurationProperties(MyConfiguration.class) enables configuration property
mapping and registers a MyConfiguration bean.
Application includes a main() method that autowires an instance of MyConfiguration.
You can run the main method through your IDE.
Alternatively, the ./gradlew bootRun and ./mvnw spring-boot:run commands launch the application.
As our Application implements CommandLineRunner, the run method is invoked automatically when boot starts. You should see the output:
----------------------------------------
Configuration properties
example.username is demouser
example.password is demopassword
----------------------------------------
Now start the application using the cloud profile.
You can do so in Gradle with the ./gradlew bootRun --args='--spring.profiles.active=cloud' command or in Maven with the ./mvnw spring-boot:run -Dspring-boot.run.arguments="--spring.profiles.active=cloud" command.
When you run the application with the cloud profile, you see:
----------------------------------------
Configuration properties
example.username is clouduser
example.password is cloudpassword
----------------------------------------
Configuration properties are bound according to the activated profiles. Spring Cloud Vault constructs a Vault context path
from spring.application.name which is gs-vault and appends the profile name (cloud) so enabling the cloud profile
will fetch additionally configuration properties from secret/gs-vault-config/cloud.
Congratulations! You set up a Vault server and wrote a simple application that uses Spring Vault to read secrets into configuration properties and encrypt data with a strong cipher — all without the headache of implementing key management, a cipher mode, and padding.