Secure Microservices Configuration Properties via HashiCorp Vault
What is Vault?
HashiCorp Vault is a platform to secure, store, and tightly control access to tokens, passwords, certificates, encryption keys for protecting sensitive data and other secrets in a dynamic infrastructure. Using vault we can retrieve the credentials from the vault key/value store, databases, etc. in a secured way. Vault, in general solves the software development security problem of how to manage secrets.
It is a Central place to store the most sensitive and secret properties which are required for the applications. It provides encryption to store these secrets in a more secure way. We can also have various access control mechanisms for the Vault server. To make sure if any unsuspicious activity and any unauthorized user tries to access these secrets Vault provides audit trail logs so that we can easily identify who tried to access those files. Vault also provides the most important feature of dynamic rolling for the secrets after a specific period of time.
A modern system requires access to a multitude of secrets: database credentials, API keys for external services, credentials for service-oriented architecture communication, etc. Understanding who is accessing what secrets is already very difficult and platform-specific. Adding on key rolling, secure storage, and detailed audit logs is almost impossible without a custom solution. This is where Vault steps in.
How to Set Up a Vault Server?
In the below steps we will go through installation steps for Windows OS.
1) Download zip file from https://www.vaultproject.io/downloads
2) Unzip it and save the directory path in Environment variables
3) Set VAULT_ADDR=’http://127.0.0.1:8200' in the environment variable or in the command prompt via command
- export VAULT_ADDR=’http://127.0.0.1:8200'
4) For starting Vault server there are two ways
a) In dev mode where we can manually pass the root token which will be used further for client authentication
- vault server — dev — dev-root-token-id=”00000000–0000–0000–0000–000000000000"
b) Using File based mode (Used for Production and other environments) -
- Create .hcl config file for vault configuration with below content
Then Start vault server with this file
- vault server -config=vaultconfig.hcl
Once the Vault server is started we initialize it. During initialization, the encryption keys are generated, unseal keys are created, and the initial root token is created.
- vault operator init
After initialization we will get Unseal keys and a token for vault server which we can use to unseal Vault and the token will be used to login into vault server. Remember we will need at least 3 keys to unseal vault after startup, so make sure we keep these 3 keys somewhere in secured place because without this vault will not be able to decrypt secrets.
- vault operator unseal
5) Login to vault server via token
- vault login <token>
6) Once we logged in we can enable secret engine to store secret data in key vaule method
- vault secrets enable -version=1 -path=secret kv
7) After everything is done we can now put secrets in vault for the respective applications
- vault kv put secret/<application-name> <key>=<vaule>
How many integration options does HashiCorp’s Vault support?
1) Linux Shell Integration
2) Java Spring Boot App Integration
3) Python
4) Node.JS
5) Ansible Automation
In this tutorial we will go through the Spring Boot integration option for Microservices and understand how Spring cloud provided integration support for HashiCorp’s Vault.
What is Spring Vault?
Spring cloud vault provides Spring abstractions to the HashiCorp’s Vault. It provides dependencies for integration with Vault and it will allow users to interact with Vault server to access secrets like database username and password, api tokens, encryption codes etc. Spring framework provides vault dependencies in the spring-vault-core package so we can integrate it in any of the Spring boot application build file as below -
Maven -
Gradle -
Vault Integration in Spring Boot Microservices
In Microservices Architecture we already have part of Spring cloud known as Central config server which is used to externalize and centralize the configuration related properties from Microservices. There are two options native location and git repositories where we can keep our configuration properties. So along with these we can have another option of Vault server to store our secrets and sensitive properties at Vault and make it more secure for database credentials, Api tokens, encryption codes.
Spring cloud config already includes dependencies for Spring vault core so we don’t need to add anything extra in the central config server build file.
We need to add configuration for Vault in the central config application.yml file which will be used to connect Vault server and get properties by passing a token to it.
Lets test our config server via an HTTP request to get the secret properties. You can use CURL, or some REST client tool like POSTMAN.
$ curl -X “GET” “http://localhost:8888/myapp/default" -H “X-Config-Token: yourtoken”
This should return a response like the following:
In the above json response we can see first property source it is of Vault server for the secrets which we stored at Vault.
So now when we start our client microservices first it will ask the central config server for the configuration properties and then the central config server will ask Vault for the database credentials or any other secret configuration properties by passing a token key for authentication. Once a request is fully authenticated, secrets are provided to the respective microservice via the central config server.
Conclusion
This tutorial showed you how to keep your secret configurations in Spring cloud vault. There’s a lot more you can do with Spring Cloud Config like encrypting the values you store, and using it with Spring Vault to store your secrets in a more secure location.
