### Install Vault using wget and unzip Source: https://github.com/spring-cloud/spring-cloud-vault/blob/main/docs/modules/ROOT/pages/quickstart.adoc This snippet demonstrates how to download and extract the Vault binary using `wget` and `unzip`. It requires `wget` and `unzip` to be installed on a *NIX-like operating system. The `vault_version` and `platform` variables should be set appropriately. ```bash $ wget https://releases.hashicorp.com/vault/${vault_version}/vault_${vault_version}_${platform}.zip $ unzip vault_${vault_version}_${platform}.zip ``` -------------------------------- ### Run Vault Setup Scripts Source: https://github.com/spring-cloud/spring-cloud-vault/blob/main/README.adoc These bash scripts are used to set up and run a local Vault instance for testing Spring Cloud Vault. They handle installation, certificate creation, and starting the Vault server. The scripts are located in `src/test/bash` and require a running Vault instance on `localhost:8200`. ```bash $ ./src/test/bash/install_vault.sh $ ./src/test/bash/create_certificates.sh $ ./src/test/bash/local_run_vault.sh ``` -------------------------------- ### Start Vault Server Source: https://github.com/spring-cloud/spring-cloud-vault/blob/main/docs/modules/ROOT/pages/quickstart.adoc This command starts the Vault server using a specified configuration file. It assumes the `vault.conf` file is present and correctly configured. The server will begin listening on the configured address and port with TLS enabled. ```bash $ vault server -config=vault.conf ``` -------------------------------- ### Create Vault Token Source: https://github.com/spring-cloud/spring-cloud-vault/blob/main/docs/modules/ROOT/pages/quickstart.adoc Command to create a Vault token with root policy. This is often required for initial setup or testing environments to grant necessary permissions. ```bash $ vault token create -id="00000000-0000-0000-0000-000000000000" -policy="root" ``` -------------------------------- ### Spring Cloud Vault Configuration Properties (YAML) Source: https://github.com/spring-cloud/spring-cloud-vault/blob/main/docs/modules/ROOT/pages/quickstart.adoc Example YAML configuration for Spring Cloud Vault. These properties define how the application connects to the Vault server, including host, port, scheme, timeouts, and URI. ```yaml spring.cloud.vault: host: localhost port: 8200 scheme: https uri: https://localhost:8200 connection-timeout: 5000 read-timeout: 15000 spring.config.import: vault:// ``` -------------------------------- ### Spring Cloud Vault Maven Dependency Source: https://github.com/spring-cloud/spring-cloud-vault/blob/main/docs/modules/ROOT/pages/quickstart.adoc Example Maven configuration to include the Spring Cloud Vault starter dependency in a Spring Boot project. This dependency enables the integration with HashiCorp Vault for external configuration. ```xml org.springframework.cloud spring-cloud-starter-vault-config {project-version} ``` -------------------------------- ### Install and Run Vault for Spring Cloud Vault Tests (Bash) Source: https://github.com/spring-cloud/spring-cloud-vault/blob/main/docs/src/main/asciidoc/README.adoc These bash scripts are required to set up a local HashiCorp Vault instance for testing Spring Cloud Vault. They handle installation, certificate creation, and starting the Vault server. A root token is generated for testing purposes. ```bash #!/bin/bash # Script to install Vault # ... (installation commands) ... # Script to create certificates # ... (certificate generation commands) ... # Script to run Vault locally # ... (Vault startup commands) ... # Vault will be left uninitialized. Tests will initialize and unseal it. # Root token: 00000000-0000-0000-0000-000000000000 ``` -------------------------------- ### Configuring Vault Server Connection Source: https://github.com/spring-cloud/spring-cloud-vault/blob/main/docs/modules/ROOT/pages/quickstart.adoc Customize the connection details for your HashiCorp Vault server using properties in `application.properties` or `application.yml`. ```APIDOC ## Configuring Vault Server Connection ### Description You can configure how your Spring Boot application connects to the HashiCorp Vault server using properties. These properties can be set in `application.properties` or `application.yml`. ### Configuration Properties #### `application.yml` Example ```yaml spring.cloud.vault: host: localhost port: 8200 scheme: https uri: https://localhost:8200 connection-timeout: 5000 read-timeout: 15000 spring.config.import: vault:// ``` ### Property Descriptions - **`spring.cloud.vault.host`** (string): Sets the hostname of the Vault host. Used for SSL certificate validation. - **`spring.cloud.vault.port`** (integer): Sets the Vault port. - **`spring.cloud.vault.scheme`** (string): Sets the connection scheme. Supported values are `http` and `https`. Defaults to `https`. - **`spring.cloud.vault.uri`** (string): Configures the Vault endpoint with a URI. This property takes precedence over `host`, `port`, and `scheme`. - **`spring.cloud.vault.connection-timeout`** (integer): Sets the connection timeout in milliseconds. - **`spring.cloud.vault.read-timeout`** (integer): Sets the read timeout in milliseconds. - **`spring.config.import`** (string): Imports Vault as a `PropertySource`. Use `vault://` to enable all enabled secret backends (key-value is enabled by default). ``` -------------------------------- ### Basic Spring Boot Application Source: https://github.com/spring-cloud/spring-cloud-vault/blob/main/docs/modules/ROOT/pages/quickstart.adoc A simple Spring Boot application demonstrating a basic HTTP server. When integrated with Spring Cloud Vault, this application can load configuration properties from Vault. ```java @SpringBootApplication @RestController public class Application { @RequestMapping("/") public String home() { return "Hello World!"; } public static void main(String[] args) { SpringApplication.run(Application.class, args); } } ``` -------------------------------- ### Configure Vault Token Authentication in application.yml Source: https://github.com/spring-cloud/spring-cloud-vault/blob/main/docs/modules/ROOT/pages/quickstart.adoc This snippet demonstrates how to configure Spring Cloud Vault to use a static root token for authentication. It requires the `spring.cloud.vault.token` property to be set with a valid Vault token and `spring.config.import` to be set to `vault://` to enable Vault configuration import. This method is suitable for quickstarts but carries security risks due to the static nature of the token. ```yaml spring.cloud.vault: token: 19aefa97-cccc-bbbb-aaaa-225940e63d76 spring.config.import: vault:// ``` -------------------------------- ### Client-Side Usage with Maven Source: https://github.com/spring-cloud/spring-cloud-vault/blob/main/docs/modules/ROOT/pages/quickstart.adoc This section details how to include the Spring Cloud Vault configuration dependency in your Maven project and set up a basic Spring Boot application. ```APIDOC ## Client Side Usage ### Description To use Spring Cloud Vault in your application, add the `spring-cloud-starter-vault-config` dependency to your `pom.xml`. ### Maven Configuration ```xml org.springframework.boot spring-boot-starter-parent ${springBootVersion} org.springframework.cloud spring-cloud-starter-vault-config {project-version} org.springframework.boot spring-boot-starter-test test org.springframework.boot spring-boot-maven-plugin ``` ### Basic Spring Boot Application ```java @SpringBootApplication @RestController public class Application { @RequestMapping("/") public String home() { return "Hello World!"; } public static void main(String[] args) { SpringApplication.run(Application.class, args); } } ``` When this application runs, it will attempt to load configuration from a local Vault server (defaulting to `localhost:8200`). ``` -------------------------------- ### Vault Server Configuration Source: https://github.com/spring-cloud/spring-cloud-vault/blob/main/docs/modules/ROOT/pages/quickstart.adoc This is a sample configuration file for the Vault server. It specifies the storage backend as 'inmem', configures a TCP listener on port 8200 with TLS enabled using provided certificates, and disables memory locking. This configuration is essential for starting the Vault server with specific security and network settings. ```hcl backend "inmem" { } listener "tcp" { address = "0.0.0.0:8200" tls_cert_file = "work/ca/certs/localhost.cert.pem" tls_key_file = "work/ca/private/localhost.decrypted.key.pem" } disable_mlock = true ``` -------------------------------- ### Re-generate README.adoc Source: https://github.com/spring-cloud/spring-cloud-vault/blob/main/README.adoc This command regenerates the `README.adoc` file from the `docs/` directory using Maven. It requires Ruby and the Asciidoctor gem to be installed. The process involves cleaning the project, installing dependencies, and then building the documentation. ```bash $ ../mvnw clean install -Pdocs ``` -------------------------------- ### Build Project with Maven Source: https://github.com/spring-cloud/spring-cloud-vault/blob/main/README.adoc This command builds the Spring Cloud project using Maven. It requires JDK 17 or later to be installed. The command performs a clean install of the project, including running tests and packaging artifacts. Maven wrapper (`./mvnw`) is used for consistency. ```bash $ ./mvnw install ``` -------------------------------- ### Generate Project Documentation (Bash) Source: https://github.com/spring-cloud/spring-cloud-vault/blob/main/docs/src/main/asciidoc/README.adoc This command regenerates the README.adoc documentation for the Spring Cloud Vault project. It requires Maven Wrapper and Asciidoctor to be installed. The documentation is generated from adoc files located in the 'docs/src/main/asciidoc/' directory. ```bash ../mvnw clean install -Pdocs # Requires ruby and the asciidoctor gem installed (gem install asciidoctor) ``` -------------------------------- ### Initialize and Unseal Vault Source: https://github.com/spring-cloud/spring-cloud-vault/blob/main/docs/modules/ROOT/pages/quickstart.adoc These commands demonstrate how to initialize and unseal a Vault server. First, `VAULT_ADDR` and `VAULT_SKIP_VERIFY` environment variables are set for client connection. Then, `vault operator init` initializes the server, providing unsealing keys and a root token. Finally, `vault operator unseal` is used multiple times with the provided keys to unseal the server, and the root token is exported to `VAULT_TOKEN` for subsequent operations. ```bash $ export VAULT_ADDR="https://localhost:8200" $ export VAULT_SKIP_VERIFY=true # Don't do this for production $ vault operator init # ... (output of init command with keys and root token) ... $ vault operator unseal (Key 1) $ vault operator unseal (Key 2) $ vault operator unseal (Key 3) $ export VAULT_TOKEN=(Root token) ``` -------------------------------- ### Vault Health Indicator Source: https://github.com/spring-cloud/spring-cloud-vault/blob/main/docs/modules/ROOT/pages/quickstart.adoc If the `spring-boot-starter-actuator` is included, Spring Cloud Vault provides a health indicator for the Vault server accessible via the `/health` endpoint. ```APIDOC ## Vault Health Indicator ### Description When the `spring-boot-starter-actuator` dependency is present, Spring Cloud Vault exposes a health indicator for the Vault server. This indicator can be accessed through the application's `/health` endpoint. ### Configuration - **`management.health.vault.enabled`** (boolean): Enables or disables the Vault health indicator. Defaults to `true`. ### Endpoint `/health` ### Response Example (if Vault is healthy) ```json { "status": "UP", "vault": { "status": "UP" } } ``` ### Response Example (if Vault is down) ```json { "status": "DOWN", "vault": { "status": "DOWN", "error": "Vault is unreachable" } } ``` ``` -------------------------------- ### Authentication Mechanisms Source: https://github.com/spring-cloud/spring-cloud-vault/blob/main/docs/modules/ROOT/pages/quickstart.adoc Vault requires an authentication mechanism to authorize client requests. Spring Cloud Vault supports various authentication methods. ```APIDOC ## Authentication ### Description HashiCorp Vault requires clients to authenticate before authorizing requests. Spring Cloud Vault supports multiple authentication mechanisms to securely connect to Vault. ### Supported Mechanisms Refer to the official HashiCorp Vault documentation for a comprehensive list of supported authentication methods: - [Vault Authentication Concepts](https://www.vaultproject.io/docs/concepts/auth.html) - [Vault Tokens](https://www.vaultproject.io/docs/concepts/tokens.html) Specific configuration for authentication methods (e.g., AppRole, Kubernetes, etc.) would typically be detailed in separate sections or documentation pages, often involving properties like `spring.cloud.vault.authentication` and related settings. ``` -------------------------------- ### Keytool and OpenSSL for Vault SSL/TLS Setup Source: https://context7.com/spring-cloud/spring-cloud-vault/llms.txt Provides bash commands using `keytool` and `openssl` to create Java KeyStores for Vault SSL/TLS configuration. This includes importing a Vault CA certificate into a truststore and creating a keystore from a client certificate and private key. ```bash # Create truststore with Vault CA certificate keytool -import -alias vault-ca \ -file vault-ca.pem \ -keystore vault-truststore.jks \ -storepass changeit \ -noprompt # Create keystore for client certificate authentication openssl pkcs12 -export \ -in client.pem \ -inkey client-key.pem \ -out client.p12 \ -name client \ -password pass:changeit keytool -importkeystore \ -srckeystore client.p12 \ -srcstoretype PKCS12 \ -srcstorepass changeit \ -destkeystore client-keystore.jks \ -deststoretype JKS \ -deststorepass changeit ``` -------------------------------- ### Vault CLI TLS Certificate Authentication Setup Source: https://context7.com/spring-cloud/spring-cloud-vault/llms.txt Demonstrates setting up TLS certificate authentication in Vault using the CLI. This includes enabling the 'cert' auth method, configuring roles that map client certificates to Vault policies and TTLs, and specifying the certificate authority to trust. ```bash # Vault CLI - Configure TLS certificate authentication vault auth enable cert vault write auth/cert/certs/my-cert-role \ display_name=my-app \ policies=my-policy \ certificate=@client-ca.pem \ ttl=3600 ``` -------------------------------- ### Maven Dependency Setup for Spring Cloud Vault Source: https://context7.com/spring-cloud/spring-cloud-vault/llms.txt Add the Spring Cloud Vault starter dependency to your Maven project to enable integration with HashiCorp Vault. This dependency provides automatic configuration for secret management. ```xml org.springframework.boot spring-boot-starter-parent 3.2.0 org.springframework.cloud spring-cloud-starter-vault-config 4.1.0 ``` -------------------------------- ### Manage Secrets with Vault CLI Key-Value Backend Source: https://context7.com/spring-cloud/spring-cloud-vault/llms.txt Demonstrates how to enable the KV secrets engine (v2), store application secrets, and retrieve them using the Vault CLI. It covers storing general secrets and profile-specific secrets, and shows an example of the output when retrieving secrets. ```bash # Vault CLI - Store and retrieve secrets # Enable KV secrets engine v2 vault secrets enable -version=2 -path=secret kv # Store secrets for the application vault kv put secret/my-app \ database.username=myuser \ database.password=mysecretpassword \ api.key=abc123xyz # Store profile-specific secrets vault kv put secret/my-app/production \ database.username=produser \ database.password=prodpassword # Read secrets vault kv get secret/my-app # Output: # ====== Data ====== # Key Value # --- ----- # api.key abc123xyz # database.password mysecretpassword # database.username myuser ``` -------------------------------- ### Customize Secret Backends with VaultConfigurer (Java) Source: https://github.com/spring-cloud/spring-cloud-vault/blob/main/docs/modules/ROOT/pages/secret-backends.adoc Provides a custom implementation of VaultConfigurer to define how secret backends are exposed as PropertySources. This example adds a specific backend and controls the registration of default key-value and discovered backends. ```java public class MyConfigurer implements VaultConfigurer { @Override public void addSecretBackends(SecretBackendConfigurer configurer) { configurer.add("secret/my-application"); configurer.registerDefaultKeyValueSecretBackends(false); configurer.registerDefaultDiscoveredSecretBackends(true); } } ``` -------------------------------- ### Customizing ClientHttpRequestFactory (Java) Source: https://github.com/spring-cloud/spring-cloud-vault/blob/main/docs/modules/ROOT/pages/config-data.adoc Provides a Java code example for customizing the `ClientHttpRequestFactory` used by Spring Cloud Vault. This involves creating `ClientOptions`, `SslConfiguration`, and an `HttpClientBuilder` to configure the underlying HTTP client. ```java ClientOptions options = new ClientOptions(); SslConfiguration sslConfiguration = SslConfiguration.unconfigured(); HttpClientBuilder builder = HttpComponents.getHttpClientBuilder(options, sslConfiguration); InstanceSupplier supplier = context -> ``` -------------------------------- ### Configure Cassandra Backend (Properties) Source: https://github.com/spring-cloud/spring-cloud-vault/blob/main/docs/modules/ROOT/pages/secret-backends.adoc This example shows how to enable Spring Cloud Vault integration with Apache Cassandra. It requires setting `spring.cloud.vault.cassandra.enabled` to `true` and providing a role name via `spring.cloud.vault.cassandra.role`. The generated username and password can be mapped to Cassandra-specific properties. ```properties spring.cloud.vault.cassandra.enabled=true spring.cloud.vault.cassandra.role=your_cassandra_role ``` -------------------------------- ### Registering Custom Vault Backend with Spring Boot Source: https://github.com/spring-cloud/spring-cloud-vault/blob/main/docs/modules/ROOT/pages/secret-backends.adoc Example of registering a custom Vault backend implementation using Spring Boot's application registry. This approach allows for programmatic configuration of Vault backend integration. ```java application.addBootstrapRegistryInitializer(VaultBootstrapper.fromConfigurer(new MyConfigurer())); ``` -------------------------------- ### Make Vault Configuration Optional Source: https://context7.com/spring-cloud/spring-cloud-vault/llms.txt Allows Spring applications to start without Vault being available, typically used in development environments. It uses an 'optional:' prefix for the Vault import and a property to control Vault's enabled status. ```yaml spring: config: import: optional:vault:// cloud: vault: enabled: ${VAULT_ENABLED:true} ``` -------------------------------- ### Vault Secret Endpoints Source: https://github.com/spring-cloud/spring-cloud-vault/blob/main/docs/modules/ROOT/pages/quickstart.adoc Spring Cloud Vault accesses configuration secrets through specific JSON endpoints in Vault. The structure of these endpoints depends on the application name and active profiles. ```APIDOC ## Vault Secret Endpoints ### Description Spring Cloud Vault accesses secrets stored in HashiCorp Vault. The default secret backend exposes configuration settings via JSON endpoints. The structure of these endpoints is: - `/secret/{application}/{profile}` - `/secret/{application}` - `/secret/{defaultContext}/{profile}` - `/secret/{defaultContext}` Where `{application}` is typically `spring.application.name` and `{profile}` refers to active Spring profiles. ### Method GET ### Endpoint `/secret/{application}/{profile}` or other variations as listed above. ### Parameters #### Path Parameters - **application** (string) - Required - The name of the Spring Boot application. - **profile** (string) - Optional - The active Spring profile(s). - **defaultContext** (string) - Optional - A default context for secrets. ### Response #### Success Response (200) - **key** (string) - The configuration property key. - **value** (string) - The configuration property value. #### Response Example ```json { "my.property": "my.value" } ``` ``` -------------------------------- ### Generating SHA256 Hash for Mac Address UserId Source: https://github.com/spring-cloud/spring-cloud-vault/blob/main/docs/modules/ROOT/pages/authentication.adoc Command-line example to generate a SHA256 hash for a MAC address to be used as a UserId in AppId authentication. The MAC address should be uppercase and without colons. The '-n' flag is crucial. ```bash $ echo -n 0AFEDE1234AC | sha256sum ``` -------------------------------- ### Generating SHA256 Hash for IP Address UserId Source: https://github.com/spring-cloud/spring-cloud-vault/blob/main/docs/modules/ROOT/pages/authentication.adoc Command-line example to generate a SHA256 hash for an IP address to be used as a UserId in AppId authentication. The '-n' flag is crucial to prevent including a newline character in the hash. ```bash $ echo -n 192.168.99.1 | sha256sum ``` -------------------------------- ### Download Spring Cloud Build Formatting Files (Bash) Source: https://github.com/spring-cloud/spring-cloud-vault/blob/main/README.adoc This script downloads the .editorconfig and .springformat files from the Spring Cloud Build repository. These files define default formatting rules and conventions for the project. The .editorconfig file helps in consistent code styling across different editors, while .springformat is used by the Spring Java Format plugin. ```bash $ curl https://raw.githubusercontent.com/spring-cloud/spring-cloud-build/main/.editorconfig -o .editorconfig $ touch .springformat ``` -------------------------------- ### Configure AppRole Authentication with RoleId in Spring Cloud Vault Source: https://github.com/spring-cloud/spring-cloud-vault/blob/main/docs/modules/ROOT/pages/authentication.adoc This YAML configuration demonstrates how to set up AppRole authentication in Spring Cloud Vault using a provided RoleId. This is a basic setup for machine authentication. ```yaml spring.cloud.vault: authentication: APPROLE app-role: role-id: bde2076b-cccb-3cf0-d57e-bca7b1e83a52 ``` -------------------------------- ### Create Wrapped Token using Vault CLI Source: https://github.com/spring-cloud/spring-cloud-vault/blob/main/docs/modules/ROOT/pages/authentication.adoc This shell command demonstrates how to create a wrapped token using the Vault CLI. The token has a Time-To-Live (TTL) of 10 minutes, and the output includes details such as the wrapping token, its TTL, creation time, and wrapped accessor. ```shell $ vault token-create -wrap-ttl="10m" Key Value --- ----- wrapping_token: 397ccb93-ff6c-b17b-9389-380b01ca2645 wrapping_token_ttl: 0h10m0s wrapping_token_creation_time: 2016-09-18 20:29:48.652957077 +0200 CEST wrapped_accessor: 46b6aebb-187f-932a-26d7-4f3d86a68319 ``` -------------------------------- ### IntelliJ IDEA Code Style Import (XML) Source: https://github.com/spring-cloud/spring-cloud-vault/blob/main/README.adoc This XML file contains project-specific code style conventions for IntelliJ IDEA. Importing this scheme ensures that the IDE automatically applies formatting rules, such as indentation, spacing, and bracing style, consistent with the Spring Cloud project standards. This promotes uniformity in the codebase. ```xml ``` -------------------------------- ### Custom Static UserId Configuration for Spring Cloud Vault AppId Source: https://github.com/spring-cloud/spring-cloud-vault/blob/main/docs/modules/ROOT/pages/authentication.adoc Example of configuring a custom static UserId for AppId authentication in Spring Cloud Vault. The 'spring.cloud.vault.app-id.user-id' property can be set to any desired string value. ```yaml spring.cloud.vault: app-id: user-id: "my-custom-static-userid" ``` -------------------------------- ### Initialize Vault and Set Address Source: https://github.com/spring-cloud/spring-cloud-vault/blob/main/README.adoc Sets the Vault address environment variable and skips TLS verification (not recommended for production). It then initializes the Vault operator, generating unseal keys and an initial root token. ```bash $ export VAULT_ADDR="https://localhost:8200" $ export VAULT_SKIP_VERIFY=true # Don't do this for production $ vault operator init ``` -------------------------------- ### Unseal Vault and Export Token (Bash) Source: https://github.com/spring-cloud/spring-cloud-vault/blob/main/README.adoc This snippet demonstrates the command-line interface (CLI) commands to unseal a Vault instance using three provided keys. It also shows how to export the obtained root token into the VAULT_TOKEN environment variable for authenticated access. ```bash $ vault operator unseal (Key 1) $ vault operator unseal (Key 2) $ vault operator unseal (Key 3) $ export VAULT_TOKEN=(Root token) ``` -------------------------------- ### Configure Multiple Database Backends (YAML) Source: https://github.com/spring-cloud/spring-cloud-vault/blob/main/docs/modules/ROOT/pages/secret-backends.adoc This configuration demonstrates how to set up multiple database secret backends using the `spring.cloud.vault.databases.*` namespace. Each backend is given a descriptive name (e.g., `primary`, `other-database`), and their respective roles, backend paths, and property mappings for username and password are defined. ```yaml spring.cloud.vault: databases: primary: enabled: true role: readwrite backend: database username-property: spring.primary-datasource.username password-property: spring.primary-datasource.password other-database: enabled: true role: readonly backend: database username-property: spring.secondary-datasource.username password-property: spring.secondary-datasource.password ``` -------------------------------- ### Enable Vault Fail-Fast Mode Source: https://context7.com/spring-cloud/spring-cloud-vault/llms.txt Enables fail-fast mode for Spring Cloud Vault, causing application startup to fail immediately if Vault is unavailable. This prevents applications from starting in an incomplete state. It also configures connection and read timeouts. ```yaml # application.yml - Fail-Fast Mode spring: config: import: vault:// cloud: vault: fail-fast: true connection-timeout: 5000 read-timeout: 15000 ``` -------------------------------- ### Configure GitHub Authentication for Vault Source: https://github.com/spring-cloud/spring-cloud-vault/blob/main/docs/modules/ROOT/pages/authentication.adoc Enables authentication with Vault using a GitHub personal access token. The token can be provided directly or, if configured and the GitHub CLI is installed, can be retrieved from the CLI. This method simplifies Vault access for applications interacting with GitHub. ```yaml spring.cloud.vault: authentication: GITHUB github: token: gho_… ``` -------------------------------- ### Initialize ClientFactoryWrapper with HttpComponentsClientHttpRequestFactory Source: https://github.com/spring-cloud/spring-cloud-vault/blob/main/docs/modules/ROOT/pages/config-data.adoc This snippet shows how to initialize a ClientFactoryWrapper using an HttpComponentsClientHttpRequestFactory. It's a common pattern for setting up HTTP clients with specific configurations. ```java new ClientFactoryWrapper(new HttpComponentsClientHttpRequestFactory(builder.build())); SpringApplication application = new SpringApplication(MyApplication.class); application.addBootstrapRegistryInitializer(registry -> registry.register(ClientFactoryWrapper.class, supplier)); ``` -------------------------------- ### IntelliJ IDEA Inspection Profile Import (XML) Source: https://github.com/spring-cloud/spring-cloud-vault/blob/main/README.adoc This XML file defines project-wide inspection profiles for IntelliJ IDEA. Importing this profile enables a set of code analysis rules that help detect potential errors, code smells, and stylistic issues. It complements Checkstyle by providing deeper code quality checks within the IDE. ```xml ``` -------------------------------- ### Configure AppRole Authentication with Full Properties in Spring Cloud Vault Source: https://github.com/spring-cloud/spring-cloud-vault/blob/main/docs/modules/ROOT/pages/authentication.adoc This configuration shows a comprehensive setup for AppRole authentication in Spring Cloud Vault, including RoleId, SecretId, Role name, and the AppRole authentication path. This allows for more specific control over the authentication process. ```yaml spring.cloud.vault: authentication: APPROLE app-role: role-id: bde2076b-cccb-3cf0-d57e-bca7b1e83a52 secret-id: 1696536f-1976-73b1-b241-0b4213908d39 role: my-role app-role-path: approle ``` -------------------------------- ### Generate Eclipse Project Metadata with Maven Wrapper Source: https://github.com/spring-cloud/spring-cloud-vault/blob/main/README.adoc This command generates Eclipse project metadata using the Maven Wrapper, allowing you to import the project into Eclipse without the m2eclipse plugin. It's a straightforward way to set up your development environment. ```bash ./mvnw eclipse:eclipse ``` -------------------------------- ### Vault CLI Commands for Kubernetes Authentication Source: https://context7.com/spring-cloud/spring-cloud-vault/llms.txt Use Vault CLI commands to configure the Kubernetes auth backend, including setting the Kubernetes host, CA certificate, and defining roles with bound service accounts and policies. ```bash # Vault CLI - Configure Kubernetes auth backend vault auth enable kubernetes vault write auth/kubernetes/config \ kubernetes_host="https://kubernetes.default.svc:443" \ kubernetes_ca_cert=@/var/run/secrets/kubernetes.io/serviceaccount/ca.crt vault write auth/kubernetes/role/my-dev-role \ bound_service_account_names=my-app \ bound_service_account_namespaces=default \ policies=my-policy \ ttl=1h ``` -------------------------------- ### Pivotal CloudFoundry (PCF) Authentication - Full Configuration Source: https://github.com/spring-cloud/spring-cloud-vault/blob/main/docs/modules/ROOT/pages/authentication.adoc Provides a comprehensive configuration for Spring Cloud Vault's PCF authentication backend. It includes the role, PCF mount path, and paths for instance certificate and key files, with defaults provided for certificate and key paths via environment variables. ```yaml spring.cloud.vault: authentication: PCF pcf: role: my-dev-role pcf-path: path instance-certificate: /etc/cf-instance-credentials/instance.crt instance-key: /etc/cf-instance-credentials/instance.key ``` -------------------------------- ### Vault CLI Consul Secrets Engine Configuration Source: https://context7.com/spring-cloud/spring-cloud-vault/llms.txt Shows how to set up and use the Consul secrets engine with the Vault CLI. This involves enabling the engine, configuring access to Consul, defining roles for token generation, and reading generated Consul tokens. ```bash # Vault CLI - Configure Consul secrets engine vault secrets enable consul vault write consul/config/access \ address=consul.example.com:8500 \ token=consul-management-token vault write consul/roles/readonly \ policies=readonly-policy \ ttl=1h # Generate Consul token vault read consul/creds/readonly ``` -------------------------------- ### Configure Vault Database Secrets Engine using Vault CLI Source: https://context7.com/spring-cloud/spring-cloud-vault/llms.txt Sets up the database secrets engine in Vault for dynamic credential generation. This involves enabling the engine, configuring connection details for a specific database type (e.g., PostgreSQL), and defining roles with creation statements and TTLs. ```bash # Vault CLI - Configure Database secrets engine for PostgreSQL vault secrets enable database vault write database/config/my-postgresql-database \ plugin_name=postgresql-database-plugin \ allowed_roles="readonly,readwrite" \ connection_url="postgresql://{{username}}:{{password}}@localhost:5432/mydb?sslmode=disable" \ username="vault" \ password="vaultpassword" vault write database/roles/readonly \ db_name=my-postgresql-database \ creation_statements="CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}'; \ GRANT SELECT ON ALL TABLES IN SCHEMA public TO \"{{name}}\";" \ default_ttl="1h" \ max_ttl="24h" # Generate credentials vault read database/creds/readonly # Output: # Key Value # --- ----- # lease_id database/creds/readonly/xxx # lease_duration 1h # username v-root-readonly-xxx # password A1a-xxx ``` -------------------------------- ### Import Vault Configuration Locations (YAML) Source: https://github.com/spring-cloud/spring-cloud-vault/blob/main/docs/modules/ROOT/pages/config-data.adoc Demonstrates how to import multiple Vault configuration locations using the `spring.config.import` property in `application.yml`. This allows specifying the order and type of Vault backends to be mounted as property sources. ```yaml spring.config.import: vault://first/context/path, vault://other/path, vault:// ``` -------------------------------- ### Configure Duplicate Finder Maven Plugin Source: https://github.com/spring-cloud/spring-cloud-vault/blob/main/README.adoc This snippet shows how to add the duplicate-finder-maven-plugin to the build section of a Maven project's pom.xml. This enables the plugin to run during the verify phase and flag duplicate classes and resources. ```xml org.basepom.maven duplicate-finder-maven-plugin ``` -------------------------------- ### Application Configuration Properties Source: https://github.com/spring-cloud/spring-cloud-vault/blob/main/README.adoc Configure the connection details and behavior of Spring Cloud Vault through application properties. ```APIDOC ## Application Configuration Properties ### Description Customize how your Spring Boot application connects to and interacts with HashiCorp Vault by setting properties in `application.properties` or `application.yml`. ### Properties - **`spring.cloud.vault.host`** (String): Hostname of the Vault server. Used for SSL certificate validation. - **`spring.cloud.vault.port`** (Integer): Port of the Vault server. - **`spring.cloud.vault.scheme`** (String): Connection scheme (`http` or `https`). Defaults to `https`. - **`spring.cloud.vault.uri`** (String): Full URI to the Vault endpoint. Overrides `host`, `port`, and `scheme` if set. - **`spring.cloud.vault.connection-timeout`** (Integer): Connection timeout in milliseconds. - **`spring.cloud.vault.read-timeout`** (Integer): Read timeout in milliseconds. - **`spring.config.import`** (String): Imports configuration from Vault. Set to `vault://` to enable Vault as a property source. ### Example (`application.yml`) ```yaml spring.cloud.vault: host: localhost port: 8200 scheme: https uri: https://localhost:8200 connection-timeout: 5000 read-timeout: 15000 spring.config.import: vault:// ``` ``` -------------------------------- ### Basic Vault Configuration in application.yml Source: https://context7.com/spring-cloud/spring-cloud-vault/llms.txt Configure Vault connection details in your application.yml file to establish connectivity with the Vault server. This includes host, port, scheme, timeouts, and authentication method. ```yaml # application.yml spring: application: name: my-application config: import: vault:// cloud: vault: host: localhost port: 8200 scheme: https uri: https://localhost:8200 connection-timeout: 5000 read-timeout: 15000 authentication: TOKEN token: s.xxxxxxxxxxxxxxxxxxxxxxxx ``` -------------------------------- ### Client Side Usage with Maven Source: https://github.com/spring-cloud/spring-cloud-vault/blob/main/README.adoc To use Spring Cloud Vault in your application, add the `spring-cloud-starter-vault-config` dependency to your Maven project. ```APIDOC ## Client Side Usage with Maven ### Description This section details how to include Spring Cloud Vault configuration in your Spring Boot application using Maven. By adding the starter dependency, your application can automatically load configuration properties from HashiCorp Vault. ### Maven Dependency ```xml org.springframework.cloud spring-cloud-starter-vault-config {project-version} ``` ### Usage Add the above dependency to your `pom.xml`. Ensure you have a compatible Spring Boot version. The starter will automatically configure Vault as a property source if Vault is accessible and configured. ``` -------------------------------- ### Vault CLI AWS Secrets Engine Configuration Source: https://context7.com/spring-cloud/spring-cloud-vault/llms.txt Demonstrates how to configure and use the AWS secrets engine with the Vault CLI. This includes enabling the engine, setting root AWS credentials, defining roles for dynamic credential generation, and reading generated credentials. ```bash # Vault CLI - Configure AWS secrets engine vault secrets enable aws vault write aws/config/root \ access_key=AKIAIOSFODNN7EXAMPLE \ secret_key=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY \ region=us-east-1 vault write aws/roles/my-aws-role \ credential_type=assumed_role \ role_arns=arn:aws:iam::123456789012:role/my-app-role \ default_sts_ttl=3600 # Generate credentials vault read aws/creds/my-aws-role ``` -------------------------------- ### Configure Vault AWS Auth Backend using Vault CLI Source: https://context7.com/spring-cloud/spring-cloud-vault/llms.txt Sets up the AWS authentication backend in Vault, allowing it to authenticate using AWS IAM credentials. This involves enabling the backend, configuring client access keys, and defining roles with bound IAM principal ARNs and policies. ```bash # Vault CLI - Configure AWS auth backend vault auth enable aws vault write auth/aws/config/client \ access_key=AKIAIOSFODNN7EXAMPLE \ secret_key=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY vault write auth/aws/role/my-aws-role \ auth_type=iam \ bound_iam_principal_arn=arn:aws:iam::123456789012:role/my-ecs-task-role \ policies=my-policy \ ttl=1h ``` -------------------------------- ### Implement Custom Vault Secret Backend Configurer Source: https://context7.com/spring-cloud/spring-cloud-vault/llms.txt Provides a custom implementation of VaultConfigurer to programmatically define which secret backends Spring Cloud Vault should expose as property sources. This allows fine-grained control over secret backend registration. ```java // MyVaultConfigurer.java - Custom secret backend configuration public class MyVaultConfigurer implements VaultConfigurer { @Override public void addSecretBackends(SecretBackendConfigurer configurer) { // Add custom secret paths configurer.add("secret/my-application"); configurer.add("secret/shared/common"); configurer.add("secret/team/database-credentials"); // Optionally disable default backends configurer.registerDefaultKeyValueSecretBackends(false); configurer.registerDefaultDiscoveredSecretBackends(true); } } ``` ```java // Application.java - Register custom configurer @SpringBootApplication public class Application { public static void main(String[] args) { SpringApplication application = new SpringApplication(Application.class); application.addBootstrapRegistryInitializer( VaultBootstrapper.fromConfigurer(new MyVaultConfigurer()) ); application.run(args); } } ``` -------------------------------- ### Configure Vault Client SSL Settings Source: https://github.com/spring-cloud/spring-cloud-vault/blob/main/docs/modules/ROOT/pages/advanced-topics.adoc Declaratively configures SSL settings for the Vault client. You can set JVM-wide settings using `javax.net.ssl.trustStore` or client-specific settings using `spring.cloud.vault.ssl.*`. This requires Apache Http Components or OkHttp on the classpath. Supported properties include `trust-store`, `trust-store-password`, `trust-store-type`, `enabled-protocols`, and `enabled-cipher-suites`. ```yaml spring.cloud.vault: ssl: trust-store: classpath:keystore.jks trust-store-password: changeit trust-store-type: JKS enabled-protocols: TLSv1.2,TLSv1.3 enabled-cipher-suites: TLS_AES_128_GCM_SHA256 ``` -------------------------------- ### Vault CLI Commands for AppRole Authentication Source: https://context7.com/spring-cloud/spring-cloud-vault/llms.txt Use Vault CLI commands to enable AppRole authentication, create a role, and retrieve the RoleId and SecretId. These credentials are then used in the Spring Cloud Vault configuration. ```bash # Vault CLI - Create AppRole and retrieve credentials vault auth enable approle vault write auth/approle/role/my-role \ secret_id_ttl=10m \ token_num_uses=10 \ token_ttl=20m \ token_max_ttl=30m \ secret_id_num_uses=40 # Get RoleId vault read auth/approle/role/my-role/role-id # Output: role_id bde2076b-cccb-3cf0-d57e-bca7b1e83a52 # Get SecretId vault write -f auth/approle/role/my-role/secret-id # Output: secret_id 1696536f-1976-73b1-b241-0b4213908d39 ``` -------------------------------- ### Configure Multiple DataSources with Spring Boot Source: https://context7.com/spring-cloud/spring-cloud-vault/llms.txt A Java configuration class using Spring Boot's DataSourceBuilder to create and configure multiple DataSource beans. This is used in conjunction with the multiple database configuration in application.yml to manage connections to different database instances. ```java // DataSourceConfig.java - Multiple DataSource configuration @Configuration public class DataSourceConfig { @Bean @Primary @ConfigurationProperties("spring.primary-datasource") public DataSource primaryDataSource() { return DataSourceBuilder.create().build(); } @Bean @ConfigurationProperties("spring.analytics-datasource") public DataSource analyticsDataSource() { return DataSourceBuilder.create().build(); } } ``` -------------------------------- ### Pivotal CloudFoundry (PCF) Authentication - Basic Configuration Source: https://github.com/spring-cloud/spring-cloud-vault/blob/main/docs/modules/ROOT/pages/authentication.adoc Sets up Spring Cloud Vault to use the PCF authentication backend with a minimal configuration. This requires specifying the authentication method as 'PCF' and defining a role for authentication. ```yaml spring.cloud.vault: authentication: PCF pcf: role: my-dev-role ``` -------------------------------- ### Customize Duplicate Finder Ignored Patterns Source: https://github.com/spring-cloud/spring-cloud-vault/blob/main/README.adoc This configuration demonstrates how to specify custom ignored class and resource patterns for the duplicate-finder-maven-plugin. This is useful for excluding specific files or classes that are known to cause false positives during the duplicate check. ```xml org.basepom.maven duplicate-finder-maven-plugin org.joda.time.base.BaseDateTime .*module-info changelog.txt ``` -------------------------------- ### KeyValue Mount Discovery Source: https://github.com/spring-cloud/spring-cloud-vault/blob/main/docs/modules/ROOT/pages/authentication.adoc Retrieves information about a KeyValue mount in Vault. ```APIDOC ## KeyValue Mount Discovery ### Description This endpoint allows you to discover and retrieve metadata about a specific KeyValue (KV) secrets engine mount configured in Vault. This is useful for understanding the configuration and capabilities of a KV store. ### Method `GET` ### Endpoint `sys/internal/ui/mounts/$mountPath` ### Parameters #### Path Parameters * **$mountPath** (string) - Required - The path of the KV secrets engine mount to query (e.g., `secret`). #### Query Parameters None #### Request Body None ### Request Example `GET sys/internal/ui/mounts/secret` ### Response #### Success Response (200) * **type** (string) - The type of the mount (e.g., `kv`). * **description** (string) - A description of the mount. * **config** (object) - Configuration details for the mount. * **local** (boolean) - Whether the mount is local. * **options** (object) - Options associated with the mount. * **uuid** (string) - The unique identifier for the mount. * **external_entropy_source** (boolean) - Indicates if an external entropy source is configured. * **default_lease_ttl** (integer) - The default lease time to live for secrets in seconds. * **max_lease_ttl** (integer) - The maximum lease time to live for secrets in seconds. #### Response Example ```json { "type": "kv", "description": "KV v2 secrets engine", "config": { "default_lease_ttl": 0, "force_no_cache": false, "max_lease_ttl": 0, "audit_non_HMAC_request_keys": [], "audit_HMAC_request_keys": [] }, "local": false, "options": { "version": "2" }, "uuid": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", "external_entropy_source": false, "default_lease_ttl": 0, "max_lease_ttl": 0 } ``` ```