Secret Management

Hashicorp Vault

Hashicorp Vault allows you to manage your application secrets in an external and central location. If enabled and configured, the connector fetches dynamically secrets from Hashicorp Vault and applies them to the connector.

Install Hashicorp Vault

Follow the installation guide at Install Vault. The connector authenticates towards Hashicorp Vault using an authentication token to retrieve and resolve secrets store in Vault kv store. The connector requires only read access to the kv store, hence it is recommended to define a read-only policy for the path where secrets are stored and assign the policy to your vault token.

Create Policy

Use the Vault CLI and create the policy which defines read-only access to the connector path:

$ vault policy write connector-read-only ./connector.hcl

Define the read access according to the path of your secrets:

connector.hcl

path "secret/data/my-connector*" {
  capabilities = ["read", "list"]
}

Make sure include the wildcard *

Create Token

Create a read-only token for the connector by referencing the policy created in previous step:

$ vault token create -policy=connector-read-only

Manage Secrets

Retrieve the property key for the target secret from Connector Configuration. In order to e.g. manage the database credentials in Hashicorp Vault, put or patch your kv store, execute one of the following CLI commands:

Set or update secrets by replacing and overwritting all existing secrets in the kv store.

$ vault kv put secret/my-connector spring.datasource.username=your-username spring.datasource.password=your-password

Set or update secrets without ovewritting existing secrets.

$ vault kv path secret/my-connector spring.datasource.username=your-username spring.datasource.password=your-password

Configure the Connector

Uncomment the following block inside the bootstrap.properties file located under /config.

bootstrap.properties

spring.application.name=my-connector
spring.profiles.active=composite
spring.cloud.config.server.bootstrap=true
spring.cloud.config.server.vault.token={cipher}your-encrypted-token
spring.cloud.config.server.composite[0].type=vault
spring.cloud.config.server.composite[0].scheme=http
spring.cloud.config.server.composite[0].host=127.0.0.1
spring.cloud.config.server.composite[0].port=8400
spring.cloud.config.server.composite[0].kv-version=2
spring.cloud.config.server.composite[0].defaultKey=my-connector

Adjust the following entries according to your Vault instance:

spring.application.name, spring.cloud.config.server.composite[0].defaultKey: This property identifies the path to the secrets and properties inside Hashicorp Vault. If you uploaded your secret under secret/my-connector, the value has to be set to my-connector.
spring.cloud.config.server.vault.token: Your Auth Token to authenticate and authorize towards Hashicorp Vault. You can also encrypt the token using our Password Encryptor Tool and specified its value using the pattern {cipher}<encrypted-password>.

Enable SSL

If Hashicorp Vault is deployed on a HTTPS port, you can enable client SSL by introducing following properties into your bootstrap.properties.

SSL properties bootstrap.properties

spring.cloud.config.server.composite[0].scheme=https
# Adjust the port if needed
spring.cloud.config.server.composite[0].port=8400

# Disable SSL validation if needed
spring.cloud.config.server.composite[0].skip-ssl-validation=true

spring.cloud.config.server.composite[0].scheme: Adjust this value to https if your vault instance is deployed on HTTPS port.
spring.cloud.config.server.composite[0].skip-ssl-validation: You can disable SSL validation (not recommended) by setting this value to true.

Proxy Support

In order to connect to your Hashicorp Vault instance through an HTTP proxy, introduce the following properties into your bootstrap.properties.

Proxy properties bootstrap.properties

spring.cloud.config.server.composite[0].proxy.http.host=<your-proxy-host>
spring.cloud.config.server.composite[0].proxy.http.port=<your-proxy-port>