Skip to content

Library to access Vault servers to inject secrets into Edison services

License

Notifications You must be signed in to change notification settings

otto-de-legacy/edison-vault

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

edison-vault

Library to access Vault servers and inject secrets into Edison services.

Build Status Maven Central

Usage

This library implements a Spring PropertySource and appends it to the end of the existing PropertySource list. It maps values from vault-secrets to properties which can then be easily accessed via @Value annotations. To use this library the secrets must be setup like described in the vault configuration section.

If your vault setup matches the requirements you just need to set the configuration properties in your application.properties file. You can find them in the application.properties configuration section.

In Vault the App ID authentication backend has to be enabled. In this context tuples of app-ids and user-ids have to be created in Vault.

For further vault documentation see http://www.vaultproject.io/

All properties you want to save in vault must be located under the same parent path. You can configure the parent path by setting the configuration property edison.vault.secret-path

Each spring property you want to load from vault has to be added to the configuration property edison.vault.properties.

An individual spring property is mapped to a vault path by the following scheme:

  1. Every dot (".") is replaced by a slash ("/").
  2. The part before the last slash is the sub-path of the property and has to exist in vault.
  3. The part after the last slash is the json field name of the vault value.

Example

application.properties:
    ...
    edison.vault.secret-path=/my/secret/path/
    edison.vault.properties=my-secret-value,my.secret.value,my.secret.othervalue
    ...

"my-secret-value" is mapped to:
GET http://yourVaultHostName:4001/v1/my/secret/path
{
  "my-secret-value": "theFirstSecretValueYouWant"
}

"my.secret.value" is mapped to:
GET http://yourVaultHostName:4001/v1/my/secret/path/my/secret/
{
    "value": "theSecondSecretValueYouWant"
}

"my.secret.othervalue" is mapped to:
GET http://yourVaultHostName:4001/v1/my/secret/path/my/secret/
{
    "othervalue": "theThirdSecretValueYouWant"
}

In this example you will get three spring properties with the following values:

  • my-secret-value=theFirstSecretValueYouWant
  • my.secret.value=theSecondSecretValueYouWant
  • my.secret.othervalue=theThirdSecretValueYouWant

You see how the parent secret-path is used and how a spring property key is mapped to a vault path. Notice the difference between my-secret-value and my.secret.value.

  • edison.vault.enabled enable edison-vault (default=false)
  • edison.vault.base-url url of vault server
  • edison.vault.secret-path vault secret path
  • edison.vault.properties comma-separated list of property keys to fetch from vault (default=empty).
  • edison.vault.token-source how to access the vault server token -- possible values are login,file or environment
  • edison.vault.appid app id to access the vault server (valid for token-source=login)
  • edison.vault.userid user id to access the vault server (valid for token-source=login)
  • edison.vault.environment-token environment-variable which holds the token (valid for token-source=environment)
  • edison.vault.file-token filename where the token is stored in, if not set then $HOME/.vault-token is used (valid for token-source=file)

Example

application.properties:

edison.vault.enabled=true
edison.vault.base-url=https://yourVaultHostName:8200
edison.vault.secret-path=/my/secret/path/
edison.vault.properties=secretOne@key1,secretOne@key2,secretTwo,secretOne
edison.vault.token-source=login
edison.vault.appid=aaaaaaaa-bbbb-cccc-dddd-eeeeeeffffff
edison.vault.userid=ffffffff-eeee-dddd-cccc-bbbbbbaaaaa

SomeClass.java:

public class SomeClass {
    
    @Value("${secretOne@key1}")
    private String theSecretNumberOne;

    public void someMethod(@Value("${secretTwo}") String theSecretNumberTwo) {

    }
}

About

Library to access Vault servers to inject secrets into Edison services

Resources

License

Stars

Watchers

Forks

Packages

No packages published