99 lines
23 KiB
HTML
99 lines
23 KiB
HTML
<html><head>
|
|
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
|
|
<title>103. Secret Backends</title><link rel="stylesheet" type="text/css" href="css/manual-multipage.css"><meta name="generator" content="DocBook XSL Stylesheets V1.79.1"><link rel="home" href="multi_spring-cloud.html" title="Spring Cloud"><link rel="up" href="multi__spring_cloud_vault.html" title="Part XIV. Spring Cloud Vault"><link rel="prev" href="multi_vault.config.authentication.html" title="102. Authentication methods"><link rel="next" href="multi_vault.config.backends.database-backends.html" title="104. Database backends"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">103. Secret Backends</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="multi_vault.config.authentication.html">Prev</a> </td><th width="60%" align="center">Part XIV. Spring Cloud Vault</th><td width="20%" align="right"> <a accesskey="n" href="multi_vault.config.backends.database-backends.html">Next</a></td></tr></table><hr></div><div class="chapter"><div class="titlepage"><div><div><h2 class="title"><a name="vault.config.backends" href="#vault.config.backends"></a>103. Secret Backends</h2></div></div></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="vault.config.backends.generic" href="#vault.config.backends.generic"></a>103.1 Generic Backend</h2></div></div></div><p>Spring Cloud Vault supports at the basic level the generic secret
|
|
backend. The generic secret backend allows storage of arbitrary
|
|
values as key-value store. A single context can store one or many
|
|
key-value tuples. Contexts can be organized hierarchically.
|
|
Spring Cloud Vault allows using the Application name
|
|
and a default context name (<code class="literal">application</code>) in combination with active
|
|
profiles.</p><pre class="screen">/secret/{application}/{profile}
|
|
/secret/{application}
|
|
/secret/{default-context}/{profile}
|
|
/secret/{default-context}</pre><p>The application name is determined by the properties:</p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><code class="literal">spring.cloud.vault.generic.application-name</code></li><li class="listitem"><code class="literal">spring.cloud.vault.application-name</code></li><li class="listitem"><code class="literal">spring.application.name</code></li></ul></div><p>Secrets can be obtained from other contexts within the generic backend by adding their
|
|
paths to the application name, separated by commas. For example, given the application
|
|
name <code class="literal">usefulapp,mysql1,projectx/aws</code>, each of these folders will be used:</p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><code class="literal">/secret/usefulapp</code></li><li class="listitem"><code class="literal">/secret/mysql1</code></li><li class="listitem"><code class="literal">/secret/projectx/aws</code></li></ul></div><p>Spring Cloud Vault adds all active profiles to the list of possible context paths.
|
|
No active profiles will skip accessing contexts with a profile name.</p><p>Properties are exposed like they are stored (i.e. without additional prefixes).</p><div class="informalexample"><pre class="programlisting"><span xmlns:d="http://docbook.org/ns/docbook" class="hl-attribute">spring.cloud.vault</span>:
|
|
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-attribute"> generic</span>:
|
|
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-attribute"> enabled</span>: <span xmlns:d="http://docbook.org/ns/docbook" class="hl-keyword">true</span>
|
|
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-attribute"> backend</span>: secret
|
|
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-attribute"> profile-separator</span>: <span xmlns:d="http://docbook.org/ns/docbook" class="hl-string">'/'</span>
|
|
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-attribute"> default-context</span>: application
|
|
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-attribute"> application-name</span>: my-app</pre></div><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><code class="literal">enabled</code> setting this value to <code class="literal">false</code> disables the secret backend
|
|
config usage</li><li class="listitem"><code class="literal">backend</code> sets the path of the secret mount to use</li><li class="listitem"><code class="literal">default-context</code> sets the context name used by all applications</li><li class="listitem"><code class="literal">application-name</code> overrides the application name for use in the generic backend</li><li class="listitem"><code class="literal">profile-separator</code> separates the profile name from the context in
|
|
property sources with profiles</li></ul></div><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><table border="0" summary="Note"><tr><td rowspan="2" align="center" valign="top" width="25"><img alt="[Note]" src="images/note.png"></td><th align="left">Note</th></tr><tr><td align="left" valign="top"><p>The key-value secret backend can be operated in versioned (v2) and non-versioned (v1) modes. Depending on the mode of operation, a different API is required to access secrets. Make sure to enable <code class="literal">generic</code> secret backend usage for non-versioned key-value backends and <code class="literal">kv</code> secret backend usage for versioned key-value backends.</p></td></tr></table></div><p>See also: <a class="link" href="https://www.vaultproject.io/docs/secrets/kv/kv-v1.html" target="_top">Vault Documentation: Using the KV Secrets Engine - Version 1 (generic secret backend)</a></p></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="vault.config.backends.kv.versioned" href="#vault.config.backends.kv.versioned"></a>103.2 Versioned Key-Value Backend</h2></div></div></div><p>Spring Cloud Vault supports the versioned Key-Value secret
|
|
backend. The key-value backend allows storage of arbitrary
|
|
values as key-value store. A single context can store one or many
|
|
key-value tuples. Contexts can be organized hierarchically.
|
|
Spring Cloud Vault allows using the Application name
|
|
and a default context name (<code class="literal">application</code>) in combination with active
|
|
profiles.</p><pre class="screen">/secret/{application}/{profile}
|
|
/secret/{application}
|
|
/secret/{default-context}/{profile}
|
|
/secret/{default-context}</pre><p>The application name is determined by the properties:</p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><code class="literal">spring.cloud.vault.kv.application-name</code></li><li class="listitem"><code class="literal">spring.cloud.vault.application-name</code></li><li class="listitem"><code class="literal">spring.application.name</code></li></ul></div><p>Secrets can be obtained from other contexts within the key-value backend by adding their
|
|
paths to the application name, separated by commas. For example, given the application
|
|
name <code class="literal">usefulapp,mysql1,projectx/aws</code>, each of these folders will be used:</p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><code class="literal">/secret/usefulapp</code></li><li class="listitem"><code class="literal">/secret/mysql1</code></li><li class="listitem"><code class="literal">/secret/projectx/aws</code></li></ul></div><p>Spring Cloud Vault adds all active profiles to the list of possible context paths.
|
|
No active profiles will skip accessing contexts with a profile name.</p><p>Properties are exposed like they are stored (i.e. without additional prefixes).</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><table border="0" summary="Note"><tr><td rowspan="2" align="center" valign="top" width="25"><img alt="[Note]" src="images/note.png"></td><th align="left">Note</th></tr><tr><td align="left" valign="top"><p>Spring Cloud Vault adds the <code class="literal">data/</code> context between the mount path and the actual context path.</p></td></tr></table></div><div class="informalexample"><pre class="programlisting"><span xmlns:d="http://docbook.org/ns/docbook" class="hl-attribute">spring.cloud.vault</span>:
|
|
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-attribute"> kv</span>:
|
|
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-attribute"> enabled</span>: <span xmlns:d="http://docbook.org/ns/docbook" class="hl-keyword">true</span>
|
|
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-attribute"> backend</span>: secret
|
|
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-attribute"> profile-separator</span>: <span xmlns:d="http://docbook.org/ns/docbook" class="hl-string">'/'</span>
|
|
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-attribute"> default-context</span>: application
|
|
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-attribute"> application-name</span>: my-app</pre></div><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><code class="literal">enabled</code> setting this value to <code class="literal">false</code> disables the secret backend
|
|
config usage</li><li class="listitem"><code class="literal">backend</code> sets the path of the secret mount to use</li><li class="listitem"><code class="literal">default-context</code> sets the context name used by all applications</li><li class="listitem"><code class="literal">application-name</code> overrides the application name for use in the generic backend</li><li class="listitem"><code class="literal">profile-separator</code> separates the profile name from the context in
|
|
property sources with profiles</li></ul></div><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><table border="0" summary="Note"><tr><td rowspan="2" align="center" valign="top" width="25"><img alt="[Note]" src="images/note.png"></td><th align="left">Note</th></tr><tr><td align="left" valign="top"><p>The key-value secret backend can be operated in versioned (v2) and non-versioned (v1) modes. Depending on the mode of operation, a different API is required to access secrets. Make sure to enable <code class="literal">generic</code> secret backend usage for non-versioned key-value backends and <code class="literal">kv</code> secret backend usage for versioned key-value backends.</p></td></tr></table></div><p>See also: <a class="link" href="https://www.vaultproject.io/docs/secrets/kv/kv-v2.html" target="_top">Vault Documentation: Using the KV Secrets Engine - Version 2 (versioned key-value backend)</a></p></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="vault.config.backends.consul" href="#vault.config.backends.consul"></a>103.3 Consul</h2></div></div></div><p>Spring Cloud Vault can obtain credentials for HashiCorp Consul.
|
|
The Consul integration requires the <code class="literal">spring-cloud-vault-config-consul</code>
|
|
dependency.</p><div class="example"><a name="d0e31550" href="#d0e31550"></a><p class="title"><b>Example 103.1. pom.xml</b></p><div class="example-contents"><pre class="programlisting"><span xmlns:d="http://docbook.org/ns/docbook" class="hl-tag"><dependencies></span>
|
|
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-tag"><dependency></span>
|
|
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-tag"><groupId></span>org.springframework.cloud<span xmlns:d="http://docbook.org/ns/docbook" class="hl-tag"></groupId></span>
|
|
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-tag"><artifactId></span>spring-cloud-vault-config-consul<span xmlns:d="http://docbook.org/ns/docbook" class="hl-tag"></artifactId></span>
|
|
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-tag"><version></span>{project-version}<span xmlns:d="http://docbook.org/ns/docbook" class="hl-tag"></version></span>
|
|
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-tag"></dependency></span>
|
|
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-tag"></dependencies></span></pre></div></div><br class="example-break"><p>The integration can be enabled by setting
|
|
<code class="literal">spring.cloud.vault.consul.enabled=true</code> (default <code class="literal">false</code>) and
|
|
providing the role name with <code class="literal">spring.cloud.vault.consul.role=…</code>.</p><p>The obtained token is stored in <code class="literal">spring.cloud.consul.token</code>
|
|
so using Spring Cloud Consul can pick up the generated
|
|
credentials without further configuration. You can configure
|
|
the property name by setting <code class="literal">spring.cloud.vault.consul.token-property</code>.</p><div class="informalexample"><pre class="programlisting"><span xmlns:d="http://docbook.org/ns/docbook" class="hl-attribute">spring.cloud.vault</span>:
|
|
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-attribute"> consul</span>:
|
|
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-attribute"> enabled</span>: <span xmlns:d="http://docbook.org/ns/docbook" class="hl-keyword">true</span>
|
|
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-attribute"> role</span>: readonly
|
|
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-attribute"> backend</span>: consul
|
|
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-attribute"> token-property</span>: spring.cloud.consul.token</pre></div><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><code class="literal">enabled</code> setting this value to <code class="literal">true</code> enables the Consul backend config usage</li><li class="listitem"><code class="literal">role</code> sets the role name of the Consul role definition</li><li class="listitem"><code class="literal">backend</code> sets the path of the Consul mount to use</li><li class="listitem"><code class="literal">token-property</code> sets the property name in which the Consul ACL token is stored</li></ul></div><p>See also: <a class="link" href="https://www.vaultproject.io/docs/secrets/consul/index.html" target="_top">Vault Documentation: Setting up Consul with Vault</a></p></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="vault.config.backends.rabbitmq" href="#vault.config.backends.rabbitmq"></a>103.4 RabbitMQ</h2></div></div></div><p>Spring Cloud Vault can obtain credentials for RabbitMQ.</p><p>The RabbitMQ integration requires the <code class="literal">spring-cloud-vault-config-rabbitmq</code>
|
|
dependency.</p><div class="example"><a name="d0e31615" href="#d0e31615"></a><p class="title"><b>Example 103.2. pom.xml</b></p><div class="example-contents"><pre class="programlisting"><span xmlns:d="http://docbook.org/ns/docbook" class="hl-tag"><dependencies></span>
|
|
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-tag"><dependency></span>
|
|
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-tag"><groupId></span>org.springframework.cloud<span xmlns:d="http://docbook.org/ns/docbook" class="hl-tag"></groupId></span>
|
|
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-tag"><artifactId></span>spring-cloud-vault-config-rabbitmq<span xmlns:d="http://docbook.org/ns/docbook" class="hl-tag"></artifactId></span>
|
|
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-tag"><version></span>{project-version}<span xmlns:d="http://docbook.org/ns/docbook" class="hl-tag"></version></span>
|
|
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-tag"></dependency></span>
|
|
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-tag"></dependencies></span></pre></div></div><br class="example-break"><p>The integration can be enabled by setting
|
|
<code class="literal">spring.cloud.vault.rabbitmq.enabled=true</code> (default <code class="literal">false</code>)
|
|
and providing the role name with <code class="literal">spring.cloud.vault.rabbitmq.role=…</code>.</p><p>Username and password are stored in <code class="literal">spring.rabbitmq.username</code>
|
|
and <code class="literal">spring.rabbitmq.password</code> so using Spring Boot will pick up the generated
|
|
credentials without further configuration. You can configure the property names
|
|
by setting <code class="literal">spring.cloud.vault.rabbitmq.username-property</code> and
|
|
<code class="literal">spring.cloud.vault.rabbitmq.password-property</code>.</p><div class="informalexample"><pre class="programlisting"><span xmlns:d="http://docbook.org/ns/docbook" class="hl-attribute">spring.cloud.vault</span>:
|
|
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-attribute"> rabbitmq</span>:
|
|
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-attribute"> enabled</span>: <span xmlns:d="http://docbook.org/ns/docbook" class="hl-keyword">true</span>
|
|
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-attribute"> role</span>: readonly
|
|
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-attribute"> backend</span>: rabbitmq
|
|
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-attribute"> username-property</span>: spring.rabbitmq.username
|
|
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-attribute"> password-property</span>: spring.rabbitmq.password</pre></div><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><code class="literal">enabled</code> setting this value to <code class="literal">true</code> enables the RabbitMQ backend config usage</li><li class="listitem"><code class="literal">role</code> sets the role name of the RabbitMQ role definition</li><li class="listitem"><code class="literal">backend</code> sets the path of the RabbitMQ mount to use</li><li class="listitem"><code class="literal">username-property</code> sets the property name in which the RabbitMQ username is stored</li><li class="listitem"><code class="literal">password-property</code> sets the property name in which the RabbitMQ password is stored</li></ul></div><p>See also: <a class="link" href="https://www.vaultproject.io/docs/secrets/rabbitmq/index.html" target="_top">Vault Documentation: Setting up RabbitMQ with Vault</a></p></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="vault.config.backends.aws" href="#vault.config.backends.aws"></a>103.5 AWS</h2></div></div></div><p>Spring Cloud Vault can obtain credentials for AWS.</p><p>The AWS integration requires the <code class="literal">spring-cloud-vault-config-aws</code>
|
|
dependency.</p><div class="example"><a name="d0e31691" href="#d0e31691"></a><p class="title"><b>Example 103.3. pom.xml</b></p><div class="example-contents"><pre class="programlisting"><span xmlns:d="http://docbook.org/ns/docbook" class="hl-tag"><dependencies></span>
|
|
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-tag"><dependency></span>
|
|
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-tag"><groupId></span>org.springframework.cloud<span xmlns:d="http://docbook.org/ns/docbook" class="hl-tag"></groupId></span>
|
|
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-tag"><artifactId></span>spring-cloud-vault-config-aws<span xmlns:d="http://docbook.org/ns/docbook" class="hl-tag"></artifactId></span>
|
|
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-tag"><version></span>{project-version}<span xmlns:d="http://docbook.org/ns/docbook" class="hl-tag"></version></span>
|
|
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-tag"></dependency></span>
|
|
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-tag"></dependencies></span></pre></div></div><br class="example-break"><p>The integration can be enabled by setting
|
|
<code class="literal">spring.cloud.vault.aws=true</code> (default <code class="literal">false</code>)
|
|
and providing the role name with <code class="literal">spring.cloud.vault.aws.role=…</code>.</p><p>The access key and secret key are stored in <code class="literal">cloud.aws.credentials.accessKey</code>
|
|
and <code class="literal">cloud.aws.credentials.secretKey</code> so using Spring Cloud AWS will pick up the generated
|
|
credentials without further configuration. You can configure the property names
|
|
by setting <code class="literal">spring.cloud.vault.aws.access-key-property</code> and
|
|
<code class="literal">spring.cloud.vault.aws.secret-key-property</code>.</p><div class="informalexample"><pre class="programlisting"><span xmlns:d="http://docbook.org/ns/docbook" class="hl-attribute">spring.cloud.vault</span>:
|
|
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-attribute"> aws</span>:
|
|
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-attribute"> enabled</span>: <span xmlns:d="http://docbook.org/ns/docbook" class="hl-keyword">true</span>
|
|
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-attribute"> role</span>: readonly
|
|
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-attribute"> backend</span>: aws
|
|
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-attribute"> access-key-property</span>: cloud.aws.credentials.accessKey
|
|
<span xmlns:d="http://docbook.org/ns/docbook" class="hl-attribute"> secret-key-property</span>: cloud.aws.credentials.secretKey</pre></div><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><code class="literal">enabled</code> setting this value to <code class="literal">true</code> enables the AWS backend config usage</li><li class="listitem"><code class="literal">role</code> sets the role name of the AWS role definition</li><li class="listitem"><code class="literal">backend</code> sets the path of the AWS mount to use</li><li class="listitem"><code class="literal">access-key-property</code> sets the property name in which the AWS access key is stored</li><li class="listitem"><code class="literal">secret-key-property</code> sets the property name in which the AWS secret key is stored</li></ul></div><p>See also: <a class="link" href="https://www.vaultproject.io/docs/secrets/aws/index.html" target="_top">Vault Documentation: Setting up AWS with Vault</a></p></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="multi_vault.config.authentication.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="multi__spring_cloud_vault.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="multi_vault.config.backends.database-backends.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">102. Authentication methods </td><td width="20%" align="center"><a accesskey="h" href="multi_spring-cloud.html">Home</a></td><td width="40%" align="right" valign="top"> 104. Database backends</td></tr></table></div></body></html> |