springboot-vault-examples
springboot-vault-examples copied to clipboard
The goal of this project is to explore the capabilities of Vault. To achieve this, we will develop applications that utilize Vault for storing and retrieving secrets. Vault dynamically generates crede...
springboot-vault-examples
The goal of this project is to explore the capabilities of Vault
. To achieve this, we will develop applications that utilize Vault
for storing and retrieving secrets. Vault
dynamically generates credentials for accessing databases and relies on Consul
as the backend. The authentication method employed in Vault
is AppRole
.
Proof-of-Concepts & Articles
On ivangfr.github.io, I have compiled my Proof-of-Concepts (PoCs) and articles. You can easily search for the technology you are interested in by using the filter. Who knows, perhaps I have already implemented a PoC or written an article about what you are looking for.
Additional Readings
- [Medium] Using HashiCorp Vault & Spring Cloud Vault to handle Spring Boot App Key/Value Secrets
- [Medium] Using HashiCorp Vault & Spring Cloud Vault to obtain Dynamic MySQL Credentials
- [Medium] How to Rotate Expired Spring Cloud Vault Relational DB Credentials Without Restarting the App
Lease Rotation
One of the problems faced by many people when using Vault
is about rotating the lease obtained for some backend databases. When a Spring Boot
application requests a lease from Vault
using, for instance, the library Spring Cloud Vault
, the library itself is able to automatically renew the lease from time to time (default_lease_ttl
).
However, when the maximum expiration time of a lease is reached (max_lease_ttl
), it means that the lease cannot be renewed anymore, and a new lease is required. In this situation, Spring Cloud Vault
library cannot rotate it, leaving the application without connection to database.
In order to solve this problem, I have implemented some solutions for applications that use Spring Cloud Vault
or Spring Vault
. Please, have a look at the examples below.
Examples
Example | Diagram |
---|---|
spring-cloud-vault-approle-mysql (with lease rotation) | |
spring-cloud-vault-approle-cassandra | |
spring-vault-approle-mysql (with lease rotation) | |
spring-vault-approle-multi-datasources-mysql (with lease rotation) |
Prerequisites
Initialize Environment
Open a terminal and, inside springboot-vault-examples
root folder, run the following script
./init-environment.sh
This script will:
- start
Consul
,Vault
,MySQL
, andCassandra
Docker containers; - unseal
Vault
and enableAppRole
in it; - setup Database
roles
andpolicies
in Vault for the application so that they can access their databases using dynamically generated credentials; - setup
KV Secrets
inVault
for the application;
Shutdown Environment
To shut down the environment, go to a terminal and, inside springboot-vault-examples
root folder, run the script below
./shutdown-environment.sh
Cleanup
To remove all Docker images created by this project, go to a terminal and, inside springboot-vault-examples
root folder, run the following script
./remove-docker-images.sh all
References
- https://github.com/spring-cloud/spring-cloud-vault/issues/85
- https://blog.ruanbekker.com/blog/2019/05/07/use-the-vault-api-to-provision-app-keys-and-create-kv-pairs/