springboot-vault-examples icon indicating copy to clipboard operation
springboot-vault-examples copied to clipboard

verified publisher icon ivangfr

Metadata

The goal of this project is to explore the capabilities of Vault. To achieve this, we will develop applications that utilize Vault for storing and retrieving secrets. Vault dynamically generates crede...

springboot-vault-examples

The goal of this project is to explore the capabilities of Vault. To achieve this, we will develop applications that utilize Vault for storing and retrieving secrets. Vault dynamically generates credentials for accessing databases and relies on Consul as the backend. The authentication method employed in Vault is AppRole.

Proof-of-Concepts & Articles

On ivangfr.github.io, I have compiled my Proof-of-Concepts (PoCs) and articles. You can easily search for the technology you are interested in by using the filter. Who knows, perhaps I have already implemented a PoC or written an article about what you are looking for.

Additional Readings

Lease Rotation

One of the problems faced by many people when using Vault is about rotating the lease obtained for some backend databases. When a Spring Boot application requests a lease from Vault using, for instance, the library Spring Cloud Vault, the library itself is able to automatically renew the lease from time to time (default_lease_ttl).

However, when the maximum expiration time of a lease is reached (max_lease_ttl), it means that the lease cannot be renewed anymore, and a new lease is required. In this situation, Spring Cloud Vault library cannot rotate it, leaving the application without connection to database.

In order to solve this problem, I have implemented some solutions for applications that use Spring Cloud Vault or Spring Vault. Please, have a look at the examples below.

Examples

Example Diagram
spring-cloud-vault-approle-mysql (with lease rotation) project-diagram
spring-cloud-vault-approle-cassandra project-diagram
spring-vault-approle-mysql (with lease rotation) project-diagram
spring-vault-approle-multi-datasources-mysql (with lease rotation) project-diagram

Prerequisites

Initialize Environment

Open a terminal and, inside springboot-vault-examples root folder, run the following script

./init-environment.sh

This script will:

  • start Consul, Vault, MySQL, and Cassandra Docker containers;
  • unseal Vault and enable AppRole in it;
  • setup Database roles and policies in Vault for the application so that they can access their databases using dynamically generated credentials;
  • setup KV Secrets in Vault for the application;

Shutdown Environment

To shut down the environment, go to a terminal and, inside springboot-vault-examples root folder, run the script below

./shutdown-environment.sh

Cleanup

To remove all Docker images created by this project, go to a terminal and, inside springboot-vault-examples root folder, run the following script

./remove-docker-images.sh all

References

  • https://github.com/spring-cloud/spring-cloud-vault/issues/85
  • https://blog.ruanbekker.com/blog/2019/05/07/use-the-vault-api-to-provision-app-keys-and-create-kv-pairs/

Metadata

18
Stars
10
Forks
Watchers

Owner

verified publisher icon ivangfr

Metadata

The goal of this project is to explore the capabilities of Vault. To achieve this, we will develop applications that utilize Vault for storing and retrieving secrets. Vault dynamically generates crede...

Back