Files
spring-cloud-static/Greenwich.SR1/multi/multi_vault.config.backends.html
2019-03-06 10:23:45 -05:00

99 lines
23 KiB
HTML

<html><head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>102.&nbsp;Secret Backends</title><link rel="stylesheet" type="text/css" href="css/manual-multipage.css"><meta name="generator" content="DocBook XSL Stylesheets V1.79.1"><link rel="home" href="multi_spring-cloud.html" title="Spring Cloud"><link rel="up" href="multi__spring_cloud_vault.html" title="Part&nbsp;XIV.&nbsp;Spring Cloud Vault"><link rel="prev" href="multi_vault.config.authentication.html" title="101.&nbsp;Authentication methods"><link rel="next" href="multi_vault.config.backends.database-backends.html" title="103.&nbsp;Database backends"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">102.&nbsp;Secret Backends</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="multi_vault.config.authentication.html">Prev</a>&nbsp;</td><th width="60%" align="center">Part&nbsp;XIV.&nbsp;Spring Cloud Vault</th><td width="20%" align="right">&nbsp;<a accesskey="n" href="multi_vault.config.backends.database-backends.html">Next</a></td></tr></table><hr></div><div class="chapter"><div class="titlepage"><div><div><h2 class="title"><a name="vault.config.backends" href="#vault.config.backends"></a>102.&nbsp;Secret Backends</h2></div></div></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="vault.config.backends.generic" href="#vault.config.backends.generic"></a>102.1&nbsp;Generic Backend</h2></div></div></div><p>Spring Cloud Vault supports at the basic level the generic secret
backend. The generic secret backend allows storage of arbitrary
values as key-value store. A single context can store one or many
key-value tuples. Contexts can be organized hierarchically.
Spring Cloud Vault allows using the Application name
and a default context name (<code class="literal">application</code>) in combination with active
profiles.</p><pre class="screen">/secret/{application}/{profile}
/secret/{application}
/secret/{default-context}/{profile}
/secret/{default-context}</pre><p>The application name is determined by the properties:</p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><code class="literal">spring.cloud.vault.generic.application-name</code></li><li class="listitem"><code class="literal">spring.cloud.vault.application-name</code></li><li class="listitem"><code class="literal">spring.application.name</code></li></ul></div><p>Secrets can be obtained from other contexts within the generic backend by adding their
paths to the application name, separated by commas. For example, given the application
name <code class="literal">usefulapp,mysql1,projectx/aws</code>, each of these folders will be used:</p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><code class="literal">/secret/usefulapp</code></li><li class="listitem"><code class="literal">/secret/mysql1</code></li><li class="listitem"><code class="literal">/secret/projectx/aws</code></li></ul></div><p>Spring Cloud Vault adds all active profiles to the list of possible context paths.
No active profiles will skip accessing contexts with a profile name.</p><p>Properties are exposed like they are stored (i.e. without additional prefixes).</p><div class="informalexample"><pre class="programlisting"><span xmlns:d="http://docbook.org/ns/docbook" class="hl-attribute">spring.cloud.vault</span>:
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-attribute"> generic</span>:
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-attribute"> enabled</span>: <span xmlns:d="http://docbook.org/ns/docbook" class="hl-keyword">true</span>
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-attribute"> backend</span>: secret
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-attribute"> profile-separator</span>: <span xmlns:d="http://docbook.org/ns/docbook" class="hl-string">'/'</span>
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-attribute"> default-context</span>: application
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-attribute"> application-name</span>: my-app</pre></div><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><code class="literal">enabled</code> setting this value to <code class="literal">false</code> disables the secret backend
config usage</li><li class="listitem"><code class="literal">backend</code> sets the path of the secret mount to use</li><li class="listitem"><code class="literal">default-context</code> sets the context name used by all applications</li><li class="listitem"><code class="literal">application-name</code> overrides the application name for use in the generic backend</li><li class="listitem"><code class="literal">profile-separator</code> separates the profile name from the context in
property sources with profiles</li></ul></div><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><table border="0" summary="Note"><tr><td rowspan="2" align="center" valign="top" width="25"><img alt="[Note]" src="images/note.png"></td><th align="left">Note</th></tr><tr><td align="left" valign="top"><p>The key-value secret backend can be operated in versioned (v2) and non-versioned (v1) modes. Depending on the mode of operation, a different API is required to access secrets. Make sure to enable <code class="literal">generic</code> secret backend usage for non-versioned key-value backends and <code class="literal">kv</code> secret backend usage for versioned key-value backends.</p></td></tr></table></div><p>See also: <a class="link" href="https://www.vaultproject.io/docs/secrets/kv/kv-v1.html" target="_top">Vault Documentation: Using the KV Secrets Engine - Version 1 (generic secret backend)</a></p></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="vault.config.backends.kv.versioned" href="#vault.config.backends.kv.versioned"></a>102.2&nbsp;Versioned Key-Value Backend</h2></div></div></div><p>Spring Cloud Vault supports the versioned Key-Value secret
backend. The key-value backend allows storage of arbitrary
values as key-value store. A single context can store one or many
key-value tuples. Contexts can be organized hierarchically.
Spring Cloud Vault allows using the Application name
and a default context name (<code class="literal">application</code>) in combination with active
profiles.</p><pre class="screen">/secret/{application}/{profile}
/secret/{application}
/secret/{default-context}/{profile}
/secret/{default-context}</pre><p>The application name is determined by the properties:</p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><code class="literal">spring.cloud.vault.kv.application-name</code></li><li class="listitem"><code class="literal">spring.cloud.vault.application-name</code></li><li class="listitem"><code class="literal">spring.application.name</code></li></ul></div><p>Secrets can be obtained from other contexts within the key-value backend by adding their
paths to the application name, separated by commas. For example, given the application
name <code class="literal">usefulapp,mysql1,projectx/aws</code>, each of these folders will be used:</p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><code class="literal">/secret/usefulapp</code></li><li class="listitem"><code class="literal">/secret/mysql1</code></li><li class="listitem"><code class="literal">/secret/projectx/aws</code></li></ul></div><p>Spring Cloud Vault adds all active profiles to the list of possible context paths.
No active profiles will skip accessing contexts with a profile name.</p><p>Properties are exposed like they are stored (i.e. without additional prefixes).</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><table border="0" summary="Note"><tr><td rowspan="2" align="center" valign="top" width="25"><img alt="[Note]" src="images/note.png"></td><th align="left">Note</th></tr><tr><td align="left" valign="top"><p>Spring Cloud Vault adds the <code class="literal">data/</code> context between the mount path and the actual context path.</p></td></tr></table></div><div class="informalexample"><pre class="programlisting"><span xmlns:d="http://docbook.org/ns/docbook" class="hl-attribute">spring.cloud.vault</span>:
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-attribute"> kv</span>:
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-attribute"> enabled</span>: <span xmlns:d="http://docbook.org/ns/docbook" class="hl-keyword">true</span>
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-attribute"> backend</span>: secret
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-attribute"> profile-separator</span>: <span xmlns:d="http://docbook.org/ns/docbook" class="hl-string">'/'</span>
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-attribute"> default-context</span>: application
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-attribute"> application-name</span>: my-app</pre></div><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><code class="literal">enabled</code> setting this value to <code class="literal">false</code> disables the secret backend
config usage</li><li class="listitem"><code class="literal">backend</code> sets the path of the secret mount to use</li><li class="listitem"><code class="literal">default-context</code> sets the context name used by all applications</li><li class="listitem"><code class="literal">application-name</code> overrides the application name for use in the generic backend</li><li class="listitem"><code class="literal">profile-separator</code> separates the profile name from the context in
property sources with profiles</li></ul></div><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><table border="0" summary="Note"><tr><td rowspan="2" align="center" valign="top" width="25"><img alt="[Note]" src="images/note.png"></td><th align="left">Note</th></tr><tr><td align="left" valign="top"><p>The key-value secret backend can be operated in versioned (v2) and non-versioned (v1) modes. Depending on the mode of operation, a different API is required to access secrets. Make sure to enable <code class="literal">generic</code> secret backend usage for non-versioned key-value backends and <code class="literal">kv</code> secret backend usage for versioned key-value backends.</p></td></tr></table></div><p>See also: <a class="link" href="https://www.vaultproject.io/docs/secrets/kv/kv-v2.html" target="_top">Vault Documentation: Using the KV Secrets Engine - Version 2 (versioned key-value backend)</a></p></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="vault.config.backends.consul" href="#vault.config.backends.consul"></a>102.3&nbsp;Consul</h2></div></div></div><p>Spring Cloud Vault can obtain credentials for HashiCorp Consul.
The Consul integration requires the <code class="literal">spring-cloud-vault-config-consul</code>
dependency.</p><div class="example"><a name="d0e31273" href="#d0e31273"></a><p class="title"><b>Example&nbsp;102.1.&nbsp;pom.xml</b></p><div class="example-contents"><pre class="programlisting"><span xmlns:d="http://docbook.org/ns/docbook" class="hl-tag">&lt;dependencies&gt;</span>
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-tag">&lt;dependency&gt;</span>
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-tag">&lt;groupId&gt;</span>org.springframework.cloud<span xmlns:d="http://docbook.org/ns/docbook" class="hl-tag">&lt;/groupId&gt;</span>
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-tag">&lt;artifactId&gt;</span>spring-cloud-vault-config-consul<span xmlns:d="http://docbook.org/ns/docbook" class="hl-tag">&lt;/artifactId&gt;</span>
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-tag">&lt;version&gt;</span>1.0.0.BUILD-SNAPSHOT<span xmlns:d="http://docbook.org/ns/docbook" class="hl-tag">&lt;/version&gt;</span>
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-tag">&lt;/dependency&gt;</span>
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-tag">&lt;/dependencies&gt;</span></pre></div></div><br class="example-break"><p>The integration can be enabled by setting
<code class="literal">spring.cloud.vault.consul.enabled=true</code> (default <code class="literal">false</code>) and
providing the role name with <code class="literal">spring.cloud.vault.consul.role=&#8230;</code>.</p><p>The obtained token is stored in <code class="literal">spring.cloud.consul.token</code>
so using Spring Cloud Consul can pick up the generated
credentials without further configuration. You can configure
the property name by setting <code class="literal">spring.cloud.vault.consul.token-property</code>.</p><div class="informalexample"><pre class="programlisting"><span xmlns:d="http://docbook.org/ns/docbook" class="hl-attribute">spring.cloud.vault</span>:
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-attribute"> consul</span>:
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-attribute"> enabled</span>: <span xmlns:d="http://docbook.org/ns/docbook" class="hl-keyword">true</span>
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-attribute"> role</span>: readonly
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-attribute"> backend</span>: consul
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-attribute"> token-property</span>: spring.cloud.consul.token</pre></div><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><code class="literal">enabled</code> setting this value to <code class="literal">true</code> enables the Consul backend config usage</li><li class="listitem"><code class="literal">role</code> sets the role name of the Consul role definition</li><li class="listitem"><code class="literal">backend</code> sets the path of the Consul mount to use</li><li class="listitem"><code class="literal">token-property</code> sets the property name in which the Consul ACL token is stored</li></ul></div><p>See also: <a class="link" href="https://www.vaultproject.io/docs/secrets/consul/index.html" target="_top">Vault Documentation: Setting up Consul with Vault</a></p></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="vault.config.backends.rabbitmq" href="#vault.config.backends.rabbitmq"></a>102.4&nbsp;RabbitMQ</h2></div></div></div><p>Spring Cloud Vault can obtain credentials for RabbitMQ.</p><p>The RabbitMQ integration requires the <code class="literal">spring-cloud-vault-config-rabbitmq</code>
dependency.</p><div class="example"><a name="d0e31338" href="#d0e31338"></a><p class="title"><b>Example&nbsp;102.2.&nbsp;pom.xml</b></p><div class="example-contents"><pre class="programlisting"><span xmlns:d="http://docbook.org/ns/docbook" class="hl-tag">&lt;dependencies&gt;</span>
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-tag">&lt;dependency&gt;</span>
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-tag">&lt;groupId&gt;</span>org.springframework.cloud<span xmlns:d="http://docbook.org/ns/docbook" class="hl-tag">&lt;/groupId&gt;</span>
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-tag">&lt;artifactId&gt;</span>spring-cloud-vault-config-rabbitmq<span xmlns:d="http://docbook.org/ns/docbook" class="hl-tag">&lt;/artifactId&gt;</span>
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-tag">&lt;version&gt;</span>1.0.0.BUILD-SNAPSHOT<span xmlns:d="http://docbook.org/ns/docbook" class="hl-tag">&lt;/version&gt;</span>
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-tag">&lt;/dependency&gt;</span>
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-tag">&lt;/dependencies&gt;</span></pre></div></div><br class="example-break"><p>The integration can be enabled by setting
<code class="literal">spring.cloud.vault.rabbitmq.enabled=true</code> (default <code class="literal">false</code>)
and providing the role name with <code class="literal">spring.cloud.vault.rabbitmq.role=&#8230;</code>.</p><p>Username and password are stored in <code class="literal">spring.rabbitmq.username</code>
and <code class="literal">spring.rabbitmq.password</code> so using Spring Boot will pick up the generated
credentials without further configuration. You can configure the property names
by setting <code class="literal">spring.cloud.vault.rabbitmq.username-property</code> and
<code class="literal">spring.cloud.vault.rabbitmq.password-property</code>.</p><div class="informalexample"><pre class="programlisting"><span xmlns:d="http://docbook.org/ns/docbook" class="hl-attribute">spring.cloud.vault</span>:
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-attribute"> rabbitmq</span>:
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-attribute"> enabled</span>: <span xmlns:d="http://docbook.org/ns/docbook" class="hl-keyword">true</span>
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-attribute"> role</span>: readonly
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-attribute"> backend</span>: rabbitmq
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-attribute"> username-property</span>: spring.rabbitmq.username
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-attribute"> password-property</span>: spring.rabbitmq.password</pre></div><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><code class="literal">enabled</code> setting this value to <code class="literal">true</code> enables the RabbitMQ backend config usage</li><li class="listitem"><code class="literal">role</code> sets the role name of the RabbitMQ role definition</li><li class="listitem"><code class="literal">backend</code> sets the path of the RabbitMQ mount to use</li><li class="listitem"><code class="literal">username-property</code> sets the property name in which the RabbitMQ username is stored</li><li class="listitem"><code class="literal">password-property</code> sets the property name in which the RabbitMQ password is stored</li></ul></div><p>See also: <a class="link" href="https://www.vaultproject.io/docs/secrets/rabbitmq/index.html" target="_top">Vault Documentation: Setting up RabbitMQ with Vault</a></p></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="vault.config.backends.aws" href="#vault.config.backends.aws"></a>102.5&nbsp;AWS</h2></div></div></div><p>Spring Cloud Vault can obtain credentials for AWS.</p><p>The AWS integration requires the <code class="literal">spring-cloud-vault-config-aws</code>
dependency.</p><div class="example"><a name="d0e31414" href="#d0e31414"></a><p class="title"><b>Example&nbsp;102.3.&nbsp;pom.xml</b></p><div class="example-contents"><pre class="programlisting"><span xmlns:d="http://docbook.org/ns/docbook" class="hl-tag">&lt;dependencies&gt;</span>
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-tag">&lt;dependency&gt;</span>
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-tag">&lt;groupId&gt;</span>org.springframework.cloud<span xmlns:d="http://docbook.org/ns/docbook" class="hl-tag">&lt;/groupId&gt;</span>
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-tag">&lt;artifactId&gt;</span>spring-cloud-vault-config-aws<span xmlns:d="http://docbook.org/ns/docbook" class="hl-tag">&lt;/artifactId&gt;</span>
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-tag">&lt;version&gt;</span>1.0.0.BUILD-SNAPSHOT<span xmlns:d="http://docbook.org/ns/docbook" class="hl-tag">&lt;/version&gt;</span>
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-tag">&lt;/dependency&gt;</span>
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-tag">&lt;/dependencies&gt;</span></pre></div></div><br class="example-break"><p>The integration can be enabled by setting
<code class="literal">spring.cloud.vault.aws=true</code> (default <code class="literal">false</code>)
and providing the role name with <code class="literal">spring.cloud.vault.aws.role=&#8230;</code>.</p><p>The access key and secret key are stored in <code class="literal">cloud.aws.credentials.accessKey</code>
and <code class="literal">cloud.aws.credentials.secretKey</code> so using Spring Cloud AWS will pick up the generated
credentials without further configuration. You can configure the property names
by setting <code class="literal">spring.cloud.vault.aws.access-key-property</code> and
<code class="literal">spring.cloud.vault.aws.secret-key-property</code>.</p><div class="informalexample"><pre class="programlisting"><span xmlns:d="http://docbook.org/ns/docbook" class="hl-attribute">spring.cloud.vault</span>:
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-attribute"> aws</span>:
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-attribute"> enabled</span>: <span xmlns:d="http://docbook.org/ns/docbook" class="hl-keyword">true</span>
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-attribute"> role</span>: readonly
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-attribute"> backend</span>: aws
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-attribute"> access-key-property</span>: cloud.aws.credentials.accessKey
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-attribute"> secret-key-property</span>: cloud.aws.credentials.secretKey</pre></div><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><code class="literal">enabled</code> setting this value to <code class="literal">true</code> enables the AWS backend config usage</li><li class="listitem"><code class="literal">role</code> sets the role name of the AWS role definition</li><li class="listitem"><code class="literal">backend</code> sets the path of the AWS mount to use</li><li class="listitem"><code class="literal">access-key-property</code> sets the property name in which the AWS access key is stored</li><li class="listitem"><code class="literal">secret-key-property</code> sets the property name in which the AWS secret key is stored</li></ul></div><p>See also: <a class="link" href="https://www.vaultproject.io/docs/secrets/aws/index.html" target="_top">Vault Documentation: Setting up AWS with Vault</a></p></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="multi_vault.config.authentication.html">Prev</a>&nbsp;</td><td width="20%" align="center"><a accesskey="u" href="multi__spring_cloud_vault.html">Up</a></td><td width="40%" align="right">&nbsp;<a accesskey="n" href="multi_vault.config.backends.database-backends.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">101.&nbsp;Authentication methods&nbsp;</td><td width="20%" align="center"><a accesskey="h" href="multi_spring-cloud.html">Home</a></td><td width="40%" align="right" valign="top">&nbsp;103.&nbsp;Database backends</td></tr></table></div></body></html>