8. Database backends

Vault supports several database secret backends to generate database credentials dynamically based on configured roles. This means services that need to access a database no longer need to configure credentials: they can request them from Vault, and use Vault’s leasing mechanism to more easily roll keys.spring-doc.cn

Spring Cloud Vault integrates with these backends:spring-doc.cn

Using a database secret backend requires to enable the backend in the configuration and the spring-cloud-vault-config-databases dependency.spring-doc.cn

Vault ships since 0.7.1 with a dedicated database secret backend that allows database integration via plugins. You can use that specific backend by using the generic database backend. Make sure to specify the appropriate backend path, e.g. spring.cloud.vault.mysql.role.backend=database.spring-doc.cn

Example 34. pom.xml
<dependencies>
    <dependency>
        <groupId>org.springframework.cloud</groupId>
        <artifactId>spring-cloud-vault-config-databases</artifactId>
        <version>3.0.4</version>
    </dependency>
</dependencies>
Enabling multiple JDBC-compliant databases will generate credentials and store them by default in the same property keys hence property names for JDBC secrets need to be configured separately.

8.1. Database

Spring Cloud Vault can obtain credentials for any database listed at www.vaultproject.io/api/secret/databases/index.html. The integration can be enabled by setting spring.cloud.vault.database.enabled=true (default false) and providing the role name with spring.cloud.vault.database.role=….spring-doc.cn

While the database backend is a generic one, spring.cloud.vault.database specifically targets JDBC databases. Username and password are available from spring.datasource.username and spring.datasource.password properties so using Spring Boot will pick up the generated credentials for your DataSource without further configuration. You can configure the property names by setting spring.cloud.vault.database.username-property and spring.cloud.vault.database.password-property.spring-doc.cn

spring.cloud.vault:
    database:
        enabled: true
        role: readonly
        backend: database
        username-property: spring.datasource.username
        password-property: spring.datasource.password

  • enabled setting this value to true enables the Database backend config usagespring-doc.cn

  • role sets the role name of the Database role definitionspring-doc.cn

  • backend sets the path of the Database mount to usespring-doc.cn

  • username-property sets the property name in which the Database username is storedspring-doc.cn

  • password-property sets the property name in which the Database password is storedspring-doc.cn

See also: Vault Documentation: Database Secrets backendspring-doc.cn

Spring Cloud Vault does not support getting new credentials and configuring your DataSource with them when the maximum lease time has been reached. That is, if max_ttl of the Database role in Vault is set to 24h that means that 24 hours after your application has started it can no longer authenticate with the database.

8.2. Apache Cassandra

The cassandra backend has been deprecated in Vault 0.7.1 and it is recommended to use the database backend and mount it as cassandra.

Spring Cloud Vault can obtain credentials for Apache Cassandra. The integration can be enabled by setting spring.cloud.vault.cassandra.enabled=true (default false) and providing the role name with spring.cloud.vault.cassandra.role=….spring-doc.cn

Username and password are available from spring.data.cassandra.username and spring.data.cassandra.password properties so using Spring Boot will pick up the generated credentials without further configuration. You can configure the property names by setting spring.cloud.vault.cassandra.username-property and spring.cloud.vault.cassandra.password-property.spring-doc.cn

spring.cloud.vault:
    cassandra:
        enabled: true
        role: readonly
        backend: cassandra
        username-property: spring.data.cassandra.username
        password-property: spring.data.cassandra.password

  • enabled setting this value to true enables the Cassandra backend config usagespring-doc.cn

  • role sets the role name of the Cassandra role definitionspring-doc.cn

  • backend sets the path of the Cassandra mount to usespring-doc.cn

  • username-property sets the property name in which the Cassandra username is storedspring-doc.cn

  • password-property sets the property name in which the Cassandra password is storedspring-doc.cn

See also: Vault Documentation: Setting up Apache Cassandra with Vaultspring-doc.cn

8.3. Couchbase Database

Spring Cloud Vault can obtain credentials for Couchbase. The integration can be enabled by setting spring.cloud.vault.couchbase.enabled=true (default false) and providing the role name with spring.cloud.vault.couchbase.role=….spring-doc.cn

Username and password are available from spring.couchbase.username and spring.couchbase.password properties so using Spring Boot will pick up the generated credentials without further configuration. You can configure the property names by setting spring.cloud.vault.couchbase.username-property and spring.cloud.vault.couchbase.password-property.spring-doc.cn

spring.cloud.vault:
    couchbase:
        enabled: true
        role: readonly
        backend: database
        username-property: spring.couchbase.username
        password-property: spring.couchbase.password

  • enabled setting this value to true enables the Couchbase backend config usagespring-doc.cn

  • role sets the role name of the Couchbase role definitionspring-doc.cn

  • backend sets the path of the Couchbase mount to usespring-doc.cn

  • username-property sets the property name in which the Couchbase username is storedspring-doc.cn

  • password-property sets the property name in which the Couchbase password is storedspring-doc.cn

See also: Couchbase Database Plugin Documentationspring-doc.cn

8.4. Elasticsearch

Spring Cloud Vault can obtain since version 3.0 credentials for Elasticsearch. The integration can be enabled by setting spring.cloud.vault.elasticsearch.enabled=true (default false) and providing the role name with spring.cloud.vault.elasticsearch.role=….spring-doc.cn

Username and password are available from spring.elasticsearch.rest.username and spring.elasticsearch.rest.password properties so using Spring Boot will pick up the generated credentials without further configuration. You can configure the property names by setting spring.cloud.vault.elasticsearch.username-property and spring.cloud.vault.elasticsearch.password-property.spring-doc.cn

spring.cloud.vault:
    elasticsearch:
        enabled: true
        role: readonly
        backend: mongodb
        username-property: spring.elasticsearch.rest.username
        password-property: spring.elasticsearch.rest.password

  • enabled setting this value to true enables the Elasticsearch database backend config usagespring-doc.cn

  • role sets the role name of the Elasticsearch role definitionspring-doc.cn

  • backend sets the path of the Elasticsearch mount to usespring-doc.cn

  • username-property sets the property name in which the Elasticsearch username is storedspring-doc.cn

  • password-property sets the property name in which the Elasticsearch password is storedspring-doc.cn

See also: Vault Documentation: Setting up Elasticsearch with Vaultspring-doc.cn

8.5. MongoDB

The mongodb backend has been deprecated in Vault 0.7.1 and it is recommended to use the database backend and mount it as mongodb.

Spring Cloud Vault can obtain credentials for MongoDB. The integration can be enabled by setting spring.cloud.vault.mongodb.enabled=true (default false) and providing the role name with spring.cloud.vault.mongodb.role=….spring-doc.cn

Username and password are stored in spring.data.mongodb.username and spring.data.mongodb.password so using Spring Boot will pick up the generated credentials without further configuration. You can configure the property names by setting spring.cloud.vault.mongodb.username-property and spring.cloud.vault.mongodb.password-property.spring-doc.cn

spring.cloud.vault:
    mongodb:
        enabled: true
        role: readonly
        backend: mongodb
        username-property: spring.data.mongodb.username
        password-property: spring.data.mongodb.password

  • enabled setting this value to true enables the MongodB backend config usagespring-doc.cn

  • role sets the role name of the MongoDB role definitionspring-doc.cn

  • backend sets the path of the MongoDB mount to usespring-doc.cn

  • username-property sets the property name in which the MongoDB username is storedspring-doc.cn

  • password-property sets the property name in which the MongoDB password is storedspring-doc.cn

See also: Vault Documentation: Setting up MongoDB with Vaultspring-doc.cn

8.6. MySQL

The mysql backend has been deprecated in Vault 0.7.1 and it is recommended to use the database backend and mount it as mysql. Configuration for spring.cloud.vault.mysql will be removed in a future version.

Spring Cloud Vault can obtain credentials for MySQL. The integration can be enabled by setting spring.cloud.vault.mysql.enabled=true (default false) and providing the role name with spring.cloud.vault.mysql.role=….spring-doc.cn

Username and password are available from spring.datasource.username and spring.datasource.password properties so using Spring Boot will pick up the generated credentials without further configuration. You can configure the property names by setting spring.cloud.vault.mysql.username-property and spring.cloud.vault.mysql.password-property.spring-doc.cn

spring.cloud.vault:
    mysql:
        enabled: true
        role: readonly
        backend: mysql
        username-property: spring.datasource.username
        password-property: spring.datasource.password

  • enabled setting this value to true enables the MySQL backend config usagespring-doc.cn

  • role sets the role name of the MySQL role definitionspring-doc.cn

  • backend sets the path of the MySQL mount to usespring-doc.cn

  • username-property sets the property name in which the MySQL username is storedspring-doc.cn

  • password-property sets the property name in which the MySQL password is storedspring-doc.cn

See also: Vault Documentation: Setting up MySQL with Vaultspring-doc.cn

8.7. PostgreSQL

The postgresql backend has been deprecated in Vault 0.7.1 and it is recommended to use the database backend and mount it as postgresql. Configuration for spring.cloud.vault.postgresql will be removed in a future version.

Spring Cloud Vault can obtain credentials for PostgreSQL. The integration can be enabled by setting spring.cloud.vault.postgresql.enabled=true (default false) and providing the role name with spring.cloud.vault.postgresql.role=….spring-doc.cn

Username and password are available from spring.datasource.username and spring.datasource.password properties so using Spring Boot will pick up the generated credentials without further configuration. You can configure the property names by setting spring.cloud.vault.postgresql.username-property and spring.cloud.vault.postgresql.password-property.spring-doc.cn

spring.cloud.vault:
    postgresql:
        enabled: true
        role: readonly
        backend: postgresql
        username-property: spring.datasource.username
        password-property: spring.datasource.password

  • enabled setting this value to true enables the PostgreSQL backend config usagespring-doc.cn

  • role sets the role name of the PostgreSQL role definitionspring-doc.cn

  • backend sets the path of the PostgreSQL mount to usespring-doc.cn

  • username-property sets the property name in which the PostgreSQL username is storedspring-doc.cn

  • password-property sets the property name in which the PostgreSQL password is storedspring-doc.cn

See also: Vault Documentation: Setting up PostgreSQL with Vaultspring-doc.cn