A Spring Boot app to read secrets from HashiCorp Vault using vault maven plugin.
This Maven plugin extracts secrets from HashiCorp Vault and populates Maven properties.
NOTE: This plugin will only work if the version of KV Secrets Engine is set to 1. If the version of KV Secrets Engine is set to 2 then our application will fail to start because this plugin will throw a 404 error while reading the secrets from the Vault.
This is happening because the response structure has been modified in the case of KV Secret Engine V2. Also, the path structure to read the secrets has been updated in the case of V2.
- Add vault-maven-plugin in pom.xml of your application.
- Configure the Vault server inside the execution section of the plugin by adding the server URL and Token that will be used to authenticate with the Vault server.
- Configure the path from where you want to read the secrets.
- Configure the keys whose values you want to read and assign them to Maven properties.
- Refer Maven properties inside the application.properties and assign them to the Spring Boot properties.
- Use Spring Boot properties wherever required in your application.
NOTE: Do not hardcode the vault token inside the pom.xml. You can pass it as an argument while building or running your application.
Before starting the application, make sure:
- Vault is up and running on your localhost.
- You have stored the two secrets with key username & password in the path /secrets/v1/dev.
NOTE: Inside pom.xml we have stored the path as /secrets/v1/${environment} where the value of environment needs to be passed as an argument while building or running the application.
Start the application using any of the commands mentioned below:
Note: These commands need to run inside the root folder of this project i.e inside the spring-boot-vault-maven-plugin folder.
-
Using maven
mvn spring-boot:run -DvaultToken=vaultServerToken -Denvironment=dev
-
From jar file
Create a jar file using 'mvn clean install -DvaultToken=vaultServerToken -Denvironment=dev' command and then executejava -jar target/read-secrets-1.0.1-SNAPSHOT.jar
Note: By default spring boot application starts on port number 8080. If port 8080 is occupied in your system then you can change the port number by uncommenting and updating the server.port property inside the application.properties file that is available inside the src > main > resources folder.
Send an HTTP GET request to '/getSecretsFromVault' endpoint using any of the two methods:
-
Browser or REST client
http://localhost:8080/getSecretsFromVault
-
cURL
curl --request GET 'http://localhost:8080/getSecretsFromVault
Run the test cases using any of the commands mentioned below:
Note: These commands need to run inside the root folder of this project i.e inside the spring-boot-vault-maven-plugin folder.
-
To run all the test cases
mvn test -DvaultToken=vaultServerToken -Denvironment=dev
-
To run a particular test class
mvn -Dtest=ReadSecretsControllerTest test -DvaultToken=vaultServerToken -Denvironment=dev
ormvn -Dtest=ReadSecretsApplicationTests test -DvaultToken=vaultServerToken -Denvironment=dev
Note: While starting your application or while running the maven install command you need to provide the argument -DvaultToken=vaultServerToken -Denvironment=dev or else your application will fail to start / maven install command will also fail due to test case failures.