Docker HashiCorp Java PostgreSQL Spring Boot

Spring Boot 3 — Manage Secrets using HashiCorp Vault and PostgreSQL as Backend: Part 2

Editorial Team

In the previous post, we had configured a Hashicorp Vault server. In this post, we’ll explain how to manage vault secrets with a Spring Boot application.

· Prerequisites
· Create the KV Secrets Engine
∘ What is the KV secrets engine?
∘ Creating a Secret using the Vault Web UI
· Let’s code
∘ Spring Cloud Vault
∘ Spring Boot App
∘ Configure application.yml
∘ Accessing Secrets in Spring Boot
· Test the REST APIs
· Conclusion
· References

Prerequisites

This is the list of all the prerequisites for Part 2:

  • Spring Boot 3+
  • Maven 3.6.3
  • Java 21
  • Postman / insomnia or any other API testing tool.
  • All steps in Part 1 must be completed

Create the KV Secrets Engine

After following all the vault installation and configuration steps described in Part 1, we must create the KV Secrets engine.

Spring Boot 3 — Manage Secrets using HashiCorp Vault and PostgreSQL as Backend: Part 1

What is the KV secrets engine?

The kv secrets engine is a generic key-value store used to store arbitrary secrets within the configured physical storage for Vault. This secrets engine can run in one of two modes; store a single value for a key, or store a number of versions for each key and maintain the record of them.

Creating a Secret using the Vault Web UI

  • Log in to the Vault UI with the rootToken
  • Select the Secrets Engines menu and click Enable new engine.
  • Select KV from the list
  • Enter the name of the Path field and click Enable Engine to complete.

Now that we have enabled the dev-labs kv v2 secrets engine, we can create, store, and retrieve secrets.

Enter db in the Path for this secret field and under the Secret data section, enter the keys/values as follows:

  • Click Save.

The masked input toggle button can be used to review the values for the keys.

Let’s code

Spring Cloud Vault

Spring Cloud Vault Config provides client-side support for externalized configuration in a distributed system built on top of Spring Vault. With HashiCorp’s Vault you have a central place to manage external secret properties for applications across all environments.

Spring Boot App

Let’s create a simple Spring Boot project from start.spring.io, with the following dependencies: Spring Web, Vault Configuration, Lombok, and Validation.

The pom.xml file:

....
 <dependencies>
  <dependency>
   <groupId>org.springframework.boot</groupId>
   <artifactId>spring-boot-starter-web</artifactId>
  </dependency>
  <dependency>
   <groupId>org.springframework.cloud</groupId>
   <artifactId>spring-cloud-starter-vault-config</artifactId>
  </dependency>

  <dependency>
   <groupId>org.projectlombok</groupId>
   <artifactId>lombok</artifactId>
   <optional>true</optional>
  </dependency>
  <dependency>
   <groupId>org.springframework.boot</groupId>
   <artifactId>spring-boot-starter-test</artifactId>
   <scope>test</scope>
  </dependency>
 </dependencies>
 <dependencyManagement>
  <dependencies>
   <dependency>
    <groupId>org.springframework.cloud</groupId>
    <artifactId>spring-cloud-dependencies</artifactId>
    <version>${spring-cloud.version}</version>
    <type>pom</type>
    <scope>import</scope>
   </dependency>
  </dependencies>
 </dependencyManagement>
...

Configure application.yml

Configure vault properties in the application.yml file. The following configuration enables our application to integrate with Vault:

spring:
  cloud:
    vault:
      # Vault Server Connection
      uri: http://127.0.0.1:8200 # Vault server address
      scheme: http               # HTTP or HTTPS 
      authentication: TOKEN      # Auth method (TOKEN, APPID, AWS, etc.)
      token: ${TOKEN}            # Root or app-specific token (Use environment variables)

      # Secrets Configuration
      kv:
        enabled: true            # Enable KV secrets engine
        backend: dev-labs        # Path where secrets are stored
        application-name: db     # Context name for secrets
  config:
      import: vault://           # Mounts Vault as PropertySource using all enabled secret backends (key-value enabled by default)

application:
  env:
    db-host: ${host}
    db-name: ${name}
    db-password: ${password}

${host}, ${name}, and ${password} should be the same keys as the Vault context secrets.

Accessing Secrets in Spring Boot

Now we can create a standard controller to get secrets:

record DbInfo(String host, String name, String password) {}

@RestController
@RequestMapping("/api")
public class VaultController {

    @Value("${application.env.db-host}")
    private String host;

    @Value("${application.env.db-name}")
    private String name;

    @Value("${application.env.db-password}")
    private String password;

    @GetMapping("/db-config")
    public DbInfo getStatus() {
        return new DbInfo(host, name, password);
    }
}

Test the REST APIs

Now we are all done with our code. We can run our application and test it.

Conclusion

Well done! This post taught us how to integrate HashiCorp Vault secrets with a Spring Boot application.

The complete source code is available on GitHub.

Support me through GitHub Sponsors.

Thank you for reading!! See you in the next post.

References

👉 Link to Medium blog

, , , , , ,

Related Posts

Flutter Keycloak Spring Boot Spring Cloud

Keycloak for Smart Devices: A Practical Guide to Device Code Flow 2/2

Editorial Team
Flutter Keycloak Spring Boot Spring Cloud

Keycloak for Smart Devices: A Practical Guide to Device Code Flow 1/2

Editorial Team