Preface
The Spring Vault project applies core Spring concepts to the development of solutions using HashiCorp Vault. We provide a "template" as a high-level abstraction for storing and querying documents. You will notice similarities to the REST support in the Spring Framework.
This document is the reference guide for Spring Vault. It explains Vault concepts and semantics and the syntax.
This part of the reference documentation explains the core functionality offered by Spring Vault.
Vault support introduces the Vault module feature set.
1. Document Structure
This section provides basic introduction to Spring and Vault. It contains details about following development and how to get support.
The rest of the document refers to Spring Vault features and assumes the user is familiar with HashiCorp Vault as well as Spring concepts.
2. Knowing Spring
Spring Vault uses Spring framework’s core functionality, such as IoC container. While it is not important to know the Spring APIs, understanding the concepts behind them is. At a minimum, the idea behind IoC should be familiar for whatever IoC container you choose to use.
The core functionality of the Vault support can be used directly, with no need to invoke the IoC services of the Spring Container. This is much like RestTemplate which can be used 'standalone' without any other services of the Spring container. To leverage all the features of Spring Vault document, such as the session support, you will need to configure some parts of the library using Spring.
To learn more about Spring, you can refer to the comprehensive (and sometimes disarming) documentation that explains in detail the Spring Framework. There are a lot of articles, blog entries and books on the matter - take a look at the Spring framework home page for more information.
3. Knowing Vault
Security and working with secrets is a concern of every developer working with databases, user credentials or API keys. Vault steps in by providing a secure storage combined with access control, revocation, key rolling and auditing. In short: Vault is a service for securely accessing and storing secrets. A secret is anything that you want to tightly control access to, such as API keys, passwords, certificates, and more.
The jumping off ground for learning about Vault is www.vaultproject.io. Here is a list of useful resources:
-
The manual introduces Vault and contains links to getting started guides, reference documentation and tutorials.
-
The online shell provides a convenient way to interact with a Vault instance in combination with the online tutorial.
Spring Vault provides client-side support for accessing, storing and revoking secrets. With HashiCorp’s Vault you have a central place to manage external secret data for applications across all environments. Vault can manage static and dynamic secrets such as application data, username/password for remote applications/resources and provide credentials for external services such as MySQL, PostgreSQL, Apache Cassandra, Consul, AWS and more.
4. Requirements
Spring Vault 2.x binaries requires JDK level 8.0 and above, and Spring Framework 6.0.11 and above.
In terms of Vault, Vault at least v0.9.6.
5. Additional Help Resources
Learning a new framework is not always straight forward. In this section, we try to provide what we think is an easy to follow guide for starting with Spring Vault module. However, if you encounter issues or you are just looking for advice, feel free to use one of the links below:
5.1. Support
There are a few support options available:
5.1.1. Community Forum
Post questions regarding Spring Vault on Stackoverflow to share information and help each other. Note that registration is needed only for posting.
5.1.2. Professional Support
Professional, from-the-source support, with guaranteed response time, is available from Pivotal Software, Inc., the company behind Spring Vault and Spring.
5.2. Following Development
For information on the Spring Vault source code repository, nightly builds and snapshot artifacts please see the Spring Vault homepage. You can help make Spring Vault best serve the needs of the Spring community by interacting with developers through the Community on Stackoverflow. If you encounter a bug or want to suggest an improvement, please create a ticket on the Spring Vault issue tracker. To stay up to date with the latest news and announcements in the Spring ecosystem, subscribe to the Spring Community Portal. Lastly, you can follow the Spring blog or the project team on Twitter (SpringCentral).
6. New & Noteworthy
6.1. What’s new in Spring Vault 3.0
-
Upgrade to Spring Framework 6 and Java 17 baseline
-
Upgrade to AWS SDK 2.
6.2. What’s new in Spring Vault 2.4
-
Support for Username/Password authentication for Username/Password, LDAP, Okta, and RADIUS authentication.
-
Support of versioned Key/Value secrets engines for Vault repositories.
-
Optimistic locking support through Vault repositories using versioned Key/Value secrets engines.
6.3. What’s new in Spring Vault 2.3
-
Support for PEM-encoded certificates for keystore and truststore usage.
-
ReactiveVaultEndpointProviderfor non-blocking lookup ofVaultEndpoint. -
VaultKeyValueMetadataOperationsfor Key-Value metadata interaction. -
Support for
transformsecrets engine (Enterprise Feature). -
Documentation of how to use Vault secret backends.
-
Login credentials for Kubernetes and PCF authentication are reloaded for each login attempt.
-
SecretLeaseContainerpublishesSecretLeaseRotatedEventinstead ofSecretLeaseExpiredEventandSecretLeaseCreatedEventon successful secret rotation. -
AbstractVaultConfiguration.threadPoolTaskScheduler()bean type changed toTaskSchedulerWrapperinstead ofThreadPoolTaskScheduler. -
Since 2.3.2:
GcpIamCredentialsAuthentication
6.4. What’s new in Spring Vault 2.2
-
Support for Key-Value v2 (versioned secrets engine) secrets through
@VaultPropertySource. -
SpEL support in
@Secret. -
Add support for Jetty as reactive HttpClient.
-
LifecycleAwareSessionManagerandReactiveLifecycleAwareSessionManageremit nowAuthenticationEvents. -
Deprecation of
AppIdAuthentication. UseAppRoleAuthenticationinstead as recommended by HashiCorp Vault. -
CubbyholeAuthenticationand wrappedAppRoleAuthenticationnow usesys/wrapping/unwrapendpoints by default. -
Kotlin Coroutines support for
ReactiveVaultOperations.
6.5. What’s new in Spring Vault 2.1
-
GCP Compute, GCP IAM, and Azure authentication.
-
Template API support for versioned and unversioned Key/Value secrets engines and for Vault wrapping operations.
-
Support full pull mode in reactive AppRole authentication.
-
Improved Exception hierarchy for Vault login failures.
6.6. What’s new in Spring Vault 2.0
-
Authentication steps DSL to compose authentication flows.
-
Reactive Vault client via
ReactiveVaultOperations. -
Vault repository support based on Spring Data KeyValue.
-
Transit batch encrypt and decrypt support.
-
Policy management for policies stored as JSON.
-
Support CSR signing, certificate revocation and CRL retrieval.
-
RoleId/SecretId unwrapping for AppRole authentication.
-
Spring Security integration with transit secrets engine-based
BytesKeyGeneratorandBytesEncryptor.
6.7. What’s new in Spring Vault 1.1.0
-
Configuration of encryption/decryption versions for transit keys.
-
Pull mode for AppRole authentication.
-
Transit batch encrypt and decrypt support.
-
TTL-based generic secret rotation.