How to use AppRole authentication for Vault using Spring Boot?

6.1k views Asked by At

In my application we are making two calls from my app for getting secrets from Vault, as shown below:

  1. Login to Vault : POST call to https::/v1/auth/approle/login -- It will take role_id and secret_id as payload and response will be client_token.

  2. Fetch secrets : GET call to https::/v1/secret/data/abc/dev/xyz.json -- It will take headers as X-Vault-Token and X-Vault-Namespace and it will give you the response as below:

    { "request_id": "......", "lease_id": "", "renewable": false, "lease_duration": 0, "data": { "data": { "name": "ABC" }, "metadata": { "created_time": "...", "deletion_time": "", "destroyed": false, "version": 1 } }

Now I want to use Spring Cloud Vault Dependency to make things work through it. Please provide me the proper illustrations to make this work?

1

There are 1 answers

3
jokarls On BEST ANSWER

Assuming you are running spring boot and have a working Vault server configured for your app.

Add spring cloud vault maven dependency

    <dependency>
        <groupId>org.springframework.cloud</groupId>
        <artifactId>spring-cloud-starter-vault-config</artifactId>
    </dependency>

Add vault configuration to bootstrap.yaml

spring:
  application:
    name: abc
  cloud:
    vault:
      host: <vault-server-hostname>
      port: <vault-server-port>
      scheme: HTTPS
      namespace: <name-of-vault-namespace>
      authentication: APPROLE
      app-role:
        role-id: <your-application-role-id>
        secret-id: <your-application-secret-id>
        role: <your-application-role>

If you run your app with spring profiles, like dev, it will be picked up and added to the vault path.

Now you should be able to inject secrets stored on the path secret/data/abc/dev with @Value("${<name-of-property>}