Hashi Corp Vault with Spring Cloud Vault
MIT License
This repository demonstrates Hashi Corp Vault setup and usage with Spring Cloud config
PATH
vault -autocomplete-install
config.hcl
file in HashiCorpVault directory
storage "consul" {
address = "127.0.0.1:8500"
path = "vault/"
}
ui = true
listener "tcp" {
address = "127.0.0.1:8200"
tls_disable = 1
}
PATH
consul agent -dev
vault server -config=<path_to_file>/config.hcl
export VAULT_ADDR=http://127.0.0.1:8200
vault operator init
Unseal Key 1: E4GnjX+VP9G50uWQNcwpCflzGAMKGR38BbQywgq4I6L8
Unseal Key 2: PYMxcCOswEYMNz7N6UW53Up6nu6y+SjAPwTJOTtkju3d
Unseal Key 3: yuJ5cSxC7tSBR5mMVJ/WJ9bfhhfGb+uwWw9FQR0JKILh
Unseal Key 4: 0vdvEFHM9PHEGMctJrl2ylHqoKQK8DLkfMU6ntmDz6jv
Unseal Key 5: cI8yglWJX+jPf/yQG7Sg6SPWzy0WyrBPvaFTOAYkPJTx
Initial Root Token: 62421926-81b9-b202-86f8-8850176c0cf3
vault operator unseal
vault-demo-policy
that controls access to our secret engine (will be created in later steps)
path "vaultdemo/pres/dev/*" {
capabilities = ["read","create","update"]
}
path "vaultdemo/pres/test/*" {
capabilities = ["read","create","update"]
}
path "vaultdemo/pres/prod/*" {
capabilities = ["read","create","update"]
}
vaultdemo
and application name pres
and profile dev
. So, the following command creates 3 key value pairs
vault kv put vaultdemo/pres/dev username=root password=dev1234 url="jdbc:mysql://localhost:3306/bookstore_dev"
<secret_engine_name>/<application_name>/<profile>
. Following this format is necessary as Spring Cloud config depends on this formatvault kv put vaultdemo/pres/test username=sa password="" url="jdbc:h2:mem:bookstore"
vault kv put vaultdemo/pres/prod username=root password=prod1234 url="jdbc:mysql://localhost:3306/bookstore_prod"
application.yml
file with the following content
## Select profile
spring:
profiles:
active: @activatedProperties@
application:
name: pres
cloud:
vault:
authentication: TOKEN
token: ${VAULT_TOKEN}
scheme: http
host: localhost
port: 8200
kv:
enabled: true
backend: vaultdemo
export VAULT_TOKEN=<Your token>
application.yml
file to load vault config and key value pairs required by the spring profiles before initializing the context. The ${VAULT_TOKEN}
value will be taken from machine environmental variables.application-dev.yml
file with the following content. The keys from the vault should match here i.e ${username},${password},${url}
## Server Properties
server:
port: 8081
spring:
config:
import: vault://vaultdemo/pres/dev
activate:
on-profile: "dev"
datasource:
username: ${db.username}
password: ${db.password}
url: ${db.url}
application-test.yml
and application-prod.yml
config files for Test and Prod environmentsapplication.yml
file that selects actual spring profile based on maven command. Please look at this gist on "How to select Spring boot profile from maven"?
## Select profile
spring:
profiles:
active: @activatedProperties@
application:
name: pres
cloud:
vault:
authentication: TOKEN
token: ${VAULT_TOKEN}
scheme: http
host: localhost
port: 8200
kv:
enabled: true
backend: vaultdemo
-Ddev
or -Dtest
parameter to maven command, which selects spring profile id and passes to application.yml
file
mvn clean package -Dtest -DskipTests
java -jar --DVAULT_TOKEN=<Root Token> target/vaultdemo-*.jar