Configuring Vault with Spring Boot
--
Depending on the versions of Spring Cloud Vault and Spring Boot the configuration of vault properties differs.
With Spring Cloud Vault 3.0 and Spring Boot 2.4, the bootstrap context initialization (bootstrap.yml, bootstrap.properties) of property sources was deprecated.
You can refer https://docs.spring.io/spring-cloud-vault/docs/current/reference/html/#new-in-3.0.0 for new enhancements in latest version.
Dependency Setup
First we will add the spring cloud vault config dependency to our pom.xml
<dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-starter-vault-config</artifactId>
<version>{project-version}</version>
</dependency>Now we will see how to configure vault properties for different versions.
Configurations with the support of bootstrap context
In earlier version spring cloud vault operates in the bootstrap context to initially obtain configuration properties so it can provide these to the auto-configuration and our application itself.
We can configure our application with bootstrap.yml or bootstrap.properties
spring:
cloud:
vault:
enabled: true
kv:
backend: <secret>
enabled: true
application-name: <vault-application-name>
authentication: APPROLE
app-role:
role-id: <role-id>
secret-id: <secret-id>
app-auth-path: approle
scheme: https
uri: <vault-server>
connection-timeout: 5000
read-timeout: 15000schemesetting the scheme tohttpwill use plain HTTP. Supported schemes arehttpandhttps.uriconfigure the Vault endpoint with an URI. Takes precedence over host/port/scheme configurationconnection-timeoutsets the connection timeout in millisecondsread-timeoutsets the read timeout in millisecondsauthenticationsets an authentication mechanism to authorize client requests. Spring Cloud Vault supports multiple authentication mechanisms to authenticate applications with Vault. Please refer https://docs.spring.io/spring-cloud-vault/docs/current/reference/html/#authenticationkvsets key-value configs
Configurations without the support of bootstrap context
This can be done in two ways:
1. Use Spring Boot 2.4 Config Data API (Preferred)
New versions of Spring Cloud Vault favors Spring Boot’s Config Data API which allows importing configuration from Vault.
Move all properties from bootstarp.yml file to application.yml file. aaplication.yml file will look like
spring:
cloud:
vault:
authentication: APPROLE
app-role:
role-id: <role-id>
secret-id: <secret-id>
app-auth-path: approle
uri: <vault-server>
connection-timeout: 5000
read-timeout: 15000
config:
import: vault://<secret>/<vault-application-name>spring.config.import sets the mount path of vault key-value backend.
This properties file can be provided in below format also
spring:
cloud:
vault:
enabled: true
kv:
backend: <secret>
enabled: true
application-name: <vault-application-name>
authentication: APPROLE
app-role:
role-id: <role-id>
secret-id: <secret-id>
app-auth-path: approle
scheme: https
uri: <vault-server>
connection-timeout: 5000
read-timeout: 15000
config:
import: optional:vault://spring.cloud.vault.enabled use to enable/disable vault. When vault is disabled config locations provided as optional will be skipped during application startup.
2. If we still want to use bootstrap context, we can enable it by
including the following dependency to pom.xml
<dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-starter-bootstrap</artifactId>
</dependency>and adding this configuration property spring.cloud.bootstrap.enabled=true in application.yml file.
References
[1] https://docs.spring.io/spring-cloud-vault/docs/current/reference/html/#client-side-usage
[2] https://cloud.spring.io/spring-cloud-vault/reference/html/#_client_side_usage
