Step 1: Maven Dependencies
Add the latest version of spring-vault-core to the POM.xml of your spring application. It can be found on Maven Central. To see how to create a spring application you can visit Spring Example - HelloWorld
<dependencies>
<dependency>
<groupId>org.springframework.vault</groupId>
<artifactId>spring-vault-core</artifactId>
<version>2.2.2.RELEASE</version>
</dependency>
</dependencies>
Step 2: Create VaultTemplate
To protect our secrets, we're supposed to instantiate a VaultTemplate for which VaultEndpoint and TokenAuthentication instances are needed:
VaultTemplate vaultTemplate = new VaultTemplate(new VaultEndpoint(),
new TokenAuthentication("00000000-0000-0000-0000-000000000000"));
Step 3: Create VaultEndpoint
There are various ways to instantiate VaultEndpoint.
- The first one is to simply instantiate it using a default constructor, which will create a default endpoint pointing to
http://localhost:8200
VaultEndpoint endpoint = new VaultEndpoint();
- the second way is to create a VaultEndpoint by specifying host and port of the Vault instance.
VaultEndpoint endpoint = VaultEndpoint.create("host", port);
- And finally, it is also possible to create it from the Vault URL:
VaultEndpoint endpoint = VaultEndpoint.from(new URI("vault uri"));
Vault will be configured with a root token of 00000000-0000-0000-0000-000000000 to run this program.
We used TokenAuthentication in our example, but there are other authentication methods supported as well.
Step 4: Configuring Vault Beans
With Spring, we can configure the Vault in a few ways. One is by extending the AbstractVaultConfiguration, and the other is by using EnvironmentVaultConfiguration, which uses the application properties.
AbstractVaultConfiguration
Build a class that extends the AbstractVaultConfiguration to configure the Spring Vault:
@Configuration
public class VaultConfig extends AbstractVaultConfiguration {
@Override
public ClientAuthentication clientAuthentication() {
return new TokenAuthentication("00000000-0000-0000-0000-000000000000");
}
@Override
public VaultEndpoint vaultEndpoint() {
return VaultEndpoint.create("host", 8020);
}
}
We just have to provide the implementation to configure VaultEndpoint and ClientAuthentication.
EnvironmentVaultConfiguration
You can also configure the Spring Vault using EnviromentVaultConfiguration:
@Configuration
@PropertySource(value = { "vault-config.properties" })
@Import(value = EnvironmentVaultConfiguration.class)
public class VaultEnvironmentConfig {
}
EnvironmentVaultConfiguration uses the Spring PropertySource to configure the Vault beans. We just need to provide some acceptable entries to the properties file. Further information on all predefined properties can be found in the official documents. We need at least a few properties to configure the Vault:
vault.uri=https://localhost:8200
vault.token=00000000-0000-0000-0000-000000000000
Step 5: Securing Secrets
As a primary usecase, create a simple Credentials class containing username and password:
public class Credentials {
private String username;
private String password;
// standard constructors, getters, setters
}
With the use of VaultTemplate, we can secure our Credentials object :
Credentials credentials = new Credentials("username", "password");
vaultTemplate.write("secret/myapp", credentials);
With the above lines, we have stored our secrets.
In the next step, we will see how we can access them.
Step 6: Accessing Secrets
By using the read() method of VaultTemplate, we are able to access the secured secrets. The read() method returns the VaultResponseSupport as a response:
VaultResponseSupport<Credentials> response =
vaultTemplate.read("secret/myapp", Credentials.class);
String username = response.getData().getUsername();
String password = response.getData().getPassword();
The saved secret values are now available in the application.