This repository demonstrates Hashi Corp Vault setup and usage with Spring Cloud config
- Create a directory named HashiCorpVault and store all the setup files, config files there
- Download vault library from Vault and add it to the
PATH
- Execute following command to enable vault commands auto complete
vault -autocomplete-install
- Create
config.hcl
file in HashiCorpVault directorystorage "consul" { address = "127.0.0.1:8500" path = "vault/" } ui = true listener "tcp" { address = "127.0.0.1:8200" tls_disable = 1 }
- Download consul binary file from https://www.consul.io/downloads.html and add it to the
PATH
- Start consul with the following command
consul agent -dev
- Open new terminal and execute the following command to start vault
vault server -config=<path_to_file>/config.hcl
- Open one more terminal and execute the following command
export VAULT_ADDR=http://127.0.0.1:8200
- Initialize the vault with the following command and ** copy the keys some where safe **
vault operator init Unseal Key 1: E4GnjX+VP9G50uWQNcwpCflzGAMKGR38BbQywgq4I6L8 Unseal Key 2: PYMxcCOswEYMNz7N6UW53Up6nu6y+SjAPwTJOTtkju3d Unseal Key 3: yuJ5cSxC7tSBR5mMVJ/WJ9bfhhfGb+uwWw9FQR0JKILh Unseal Key 4: 0vdvEFHM9PHEGMctJrl2ylHqoKQK8DLkfMU6ntmDz6jv Unseal Key 5: cI8yglWJX+jPf/yQG7Sg6SPWzy0WyrBPvaFTOAYkPJTx Initial Root Token: 62421926-81b9-b202-86f8-8850176c0cf3
- Begin unsealing the Vault with following command. Execute this 3 times, each time enter different keys from step 9
vault operator unseal
- Go to http://localhost:8200/ui/ to see the vault UI
- First, create Key Value pair (KV) secret engine, which stores key value pairs
- Go to ACL policies and create the ACL policy named
vault-demo-policy
that controls access to our secret engine (will be created in later steps)path "vaultdemo/pres/dev/*" { capabilities = ["read","create","update"] } path "vaultdemo/pres/test/*" { capabilities = ["read","create","update"] } path "vaultdemo/pres/prod/*" { capabilities = ["read","create","update"] }
- Use the following command to create a vault with secret engine
vaultdemo
and application namepres
and profiledev
. So, the following command creates 3 key value pairsvault kv put vaultdemo/pres/dev username=root password=dev1234 url="jdbc:mysql://localhost:3306/bookstore_dev"
- Format of the vault should be
<secret_engine_name>/<application_name>/<profile>
. Following this format is necessary as Spring Cloud config depends on this format - Execute the following to create test, prod profile and key value pairs inside of it
vault kv put vaultdemo/pres/test username=sa password="" url="jdbc:h2:mem:bookstore" vault kv put vaultdemo/pres/prod username=root password=prod1234 url="jdbc:mysql://localhost:3306/bookstore_prod"
- Now go to spring boot project src/main/resources directory and create
application.yml
file with the following content## Select profile spring: profiles: active: @activatedProperties@ application: name: pres cloud: vault: authentication: TOKEN token: ${VAULT_TOKEN} scheme: http host: localhost port: 8200 kv: enabled: true backend: vaultdemo
- Use the following syntax to export token to Linux machine environmental variable
export VAULT_TOKEN=<Your token>
- Spring uses
application.yml
file to load vault config and key value pairs required by the spring profiles before initializing the context. The${VAULT_TOKEN}
value will be taken from machine environmental variables. - Now create
application-dev.yml
file with the following content. The keys from the vault should match here i.e ${username},${password},${url}## Server Properties server: port: 8081 spring: config: import: vault://vaultdemo/pres/dev activate: on-profile: "dev" datasource: username: ${db.username} password: ${db.password} url: ${db.url}
- Create
application-test.yml
andapplication-prod.yml
config files for Test and Prod environments - Create
application.yml
file that selects actual spring profile based on maven command. Please look at this gist on "How to select Spring boot profile from maven"?## Select profile spring: profiles: active: @activatedProperties@ application: name: pres cloud: vault: authentication: TOKEN token: ${VAULT_TOKEN} scheme: http host: localhost port: 8200 kv: enabled: true backend: vaultdemo
- Clone this project and build it maven. Make sure to pass
-Ddev
or-Dtest
parameter to maven command, which selects spring profile id and passes toapplication.yml
filemvn clean package -Dtest -DskipTests
- Now run the project with the java command. This should start my project using the profile from previous step
java -jar --DVAULT_TOKEN=<Root Token> target/vaultdemo-*.jar
- Go to http://localhost:8081/api/v1/book/list to see list of books retrived from database whose credentials retrived from Vault