Open in app

Sign in

Write

Sign in

Inject OCI Vault Secrets into Spring Apps

Anders Swanson
2 min readJul 29, 2024

--

Using Spring Cloud OCI, you can easily configure OCI Vault instances as Spring property sources, allowing you to dynamically inject Vault secrets as app properties accessible with Spring @Value annotations:

@Value("${someVaultSecret}")
private String someSecretValue;

@Value("${anotherVaultSecret}")
private String anotherSecretValue;

For reference, a sample application using OCI Vault as a Spring property source can be found here, or read on for a configuration walk-through.

Configuring OCI Vault as a Spring property source

To configure OCI Vault as a Spring property source, we’ll use the Spring Cloud OCI Vault Starter. Add the starter to your Maven project like so:

<dependencies>
    <dependency>
        <groupId>com.oracle.cloud.spring</groupId>
        <artifactId>spring-cloud-oci-starter-vault</artifactId>
        <version>1.2.0</version>
    </dependency>
</dependencies>

Or, if you’re using Gradle:

dependencies {
  implementation "com.oracle.cloud.spring:spring-cloud-oci-starter-vault:1.2.0"
}

Next, we’ll configure OCI properties for Vault. We’ll use config file authentication in this example, but Instance Principal, User Principal, or Workload Identity also work. To configure Vault as a property source, specify an OCI Compartment, a Vault Id and a duration that will trigger property refresh like so:

spring:
  cloud:
    oci:
      config:
        type: file
      region:
        static: ${OCI_REGION}
      vault:
        # OCI Compartment containing OCI Vault instance(s)
        compartment: ${OCI_COMPARTMENT_ID}
        enabled: true
        # How often to refresh properties loaded from OCI Vault
        property-refresh-interval: 10000ms
        # OCI Vault instance(s) loaded as spring property sources
        property-sources:
        - vault-id: ${OCI_VAULT_ID}

        # Vault id for OCI VaultTemplate
        vault-id: ${OCI_VAULT_ID}

The compartment and Vault information can be gathered from the Compartment and Vault pages on the OCI Console. If you need help creating an OCI Vault and populating it with data, see Creating a Vault, or Creating a Secret in a Vault.

Now that OCI Vault is configured as a Spring property source, we’ll write a simple Spring controller that uses Vault secrets as properties.

@RestController
public class AppController {
    private final VaultTemplate vaultTemplate;

    // The value of the Vault secret "mysecret" will be 
    // injected into "mySecretValue" by the Spring property source loader.
    @Value("${mysecret}")
    private String mySecretValue;

    @Value("${anotherSecret}")
    private String anotherSecretValue;

    public AppController(VaultTemplate vaultTemplate) {
        this.vaultTemplate = vaultTemplate;
    }

    @GetMapping("/values")
    public ResponseEntity<?> showValues() {
        return ResponseEntity.ok(List.of(
                mySecretValue, anotherSecretValue
        ));
    }
}

Using OCI Vault as a Spring property source for dynamic secret injection can make your application more secure, eliminating the need for static secrets on disk.

Spring Boot
Spring
Oracle
Oracle Cloud

--

--

Anders Swanson

Written by Anders Swanson

11 Followers

I'm a Developer Evangelist for Oracle Database who is passionate about creating content and tools to help developers succeed.

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams