Spring Cloud Vault Tutorial

Overview

Spring Cloud Vault provides integration with HashiCorp's Vault to manage secrets and protect sensitive data. It allows you to store and access secrets in a centralized and secure manner, leveraging Vault's capabilities for secret management.

Key Features of Spring Cloud Vault

Spring Cloud Vault offers several features that facilitate secret management and data protection:

• Secure Secret Storage: Store sensitive data in Vault securely.
• Dynamic Secrets: Generate secrets dynamically for databases and other services.
• Encryption as a Service: Use Vault for encrypting and decrypting data.
• Integration with Spring: Seamlessly integrate with Spring Boot applications.

Setting Up Spring Cloud Vault

To set up Spring Cloud Vault, add the following dependencies to your project:

// build.gradle
dependencies {
    implementation 'org.springframework.cloud:spring-cloud-starter-vault-config'
}

This adds the necessary dependencies for Spring Cloud Vault integration.

Configuring Vault

Configure Vault in the bootstrap.properties file:

// bootstrap.properties
spring.application.name=my-app
spring.cloud.vault.uri=http://localhost:8200
spring.cloud.vault.token=my-root-token
spring.cloud.vault.scheme=http
spring.cloud.vault.generic.enabled=true
spring.cloud.vault.generic.backend=secret
spring.cloud.vault.generic.default-context=my-app

This configuration sets up the Vault server URI, authentication token, and the path to the secrets in Vault.

Storing Secrets in Vault

Store secrets in Vault using the CLI or API:

$ vault kv put secret/my-app message="Hello from Vault" password="supersecret"

This command stores a secret with two keys, message and password, under the secret/my-app path.

Accessing Secrets in Spring Boot Application

Access the secrets in your Spring Boot application using the @Value annotation:

// ExampleController.java
@RestController
public class ExampleController {
    @Value("${message}")
    private String message;

    @Value("${password}")
    private String password;

    @GetMapping("/secrets")
    public String getSecrets() {
        return "Message: " + message + ", Password: " + password;
    }
}

This controller fetches the secrets from Vault and returns them in the response.

Dynamic Secrets

Vault can generate secrets dynamically for databases and other services. Configure dynamic secrets in Vault and access them in your Spring Boot application:

$ vault secrets enable database
$ vault write database/config/my-database \\
    plugin_name=mysql-database-plugin \\
    connection_url="{{username}}:{{password}}@tcp(127.0.0.1:3306)/" \\
    allowed_roles="my-role" \\
    username="root" \\
    password="rootpassword"

$ vault write database/roles/my-role \\
    db_name=my-database \\
    creation_statements="CREATE USER '{{name}}'@'%' IDENTIFIED BY '{{password}}'; \\
    GRANT ALL PRIVILEGES ON *.* TO '{{name}}'@'%';" \\
    default_ttl="1h" \\
    max_ttl="24h"

This configuration sets up dynamic secrets for a MySQL database.

Encryption as a Service

Use Vault for encrypting and decrypting data:

$ vault write transit/keys/my-key
$ vault write transit/encrypt/my-key plaintext=$(echo -n 'my-secret-data' | base64)
$ vault write transit/decrypt/my-key ciphertext=vault:v1:

This example shows how to use Vault's transit secrets engine for encryption and decryption.

Key Points

Conclusion

Spring Cloud Vault is a powerful tool for managing secrets and protecting sensitive data in a secure manner. By leveraging its features, developers can ensure that their applications handle secrets and data securely, complying with best practices for security and data protection. Happy coding!