Keep your secrets with Spring Vault

In modern cloud-native applications, externalizing the configuration properties is a necessity that changes based on the environment. One of the common use, when we implement cloud-native Spring Boot microservices, is to manage the secrets. Secrets can be anything that is either static or dynamic like user name/password credentials for databases that we integrate with our service layers such as MYSQL, MongoDB, Oracle DB, etc., or credentials and certificates to access remote resources/applications.

What is Spring Vault?

Spring Cloud Config Server has been a proven solution already that acts as a centralized framework for managing the application-related configuration properties in a distributed environment. Spring Cloud Config Server manages external configuration with the help of config storage done in private secured repositories like Github, SVN, or even vault. Storing the sensitive data secured in the config server is a challenge. Spring Vault helps to solve this by providing abstractions, provision for storing/revoking secrets, and giving client-side support for accessing the secrets from a HashiCorp Vault. HashiCorp Vault is a commonly used open-source secret server from HashiCorp.

In a cloud-distributed system, we can get the benefit of using Spring Cloud Vault which provides client-side support for externalizing the configurations. Spring Cloud Vault uses Spring Vault to provide a configuration integration for Spring Boot-based applications.

Features

1. Robust service to manage the secrets
2. Vault comes with inbuilt secret encryption and avoids the threat of client-side decryption key leakage issue.
3. Provides API to access secrets and can be configured to give access to secrets based on policies
4. Any client who accesses the secrets needs to authenticate themselves and only clients who are authorized can access a secret
5. Vault does not store the key in a persistent location
6. Starting and restarting of vault needs one or more operators to unseal it.

How to use it?

1. Start up the vault and store configuration properties inside Vault from https://www.vaultproject.io/downloads.html
2. Create you Spring Boot project referring
https://docs.spring.io/spring-cloud-vault/docs/current/reference/html/#client-side-usage

3. Do proper production hardening referring https://learn.hashicorp.com/tutorials/vault/production-hardening

Author Details

Krishna kalesh Balakrishnan

Technology Architect in Infosys. Involved in the modernization and software development process of clients in e-commerce and airline domains.

Leave a Comment

Your email address will not be published. Required fields are marked *