HashiCorp’s Vault provides a central place to manage external secret data for applications across all environments. Vault can manage static and dynamic secrets such as application data, username/password for remote applications/resources and provide credentials for external services such as MySQL, PostgreSQL, Apache Cassandra, Consul, AWS and more.
- Java 6 or higher
- Vault 0.5 or higher
-
Run
brew install vault. This will update brew and install Vault. At the time of writing it will be 0.7.2 -
Run
vault version. It should return the version.
- Run
vault server -dev. This will start a server with dev purposes only in the foreground. - Run
export VAULT_ADDR='http://127.0.0.1:8200'in a separate terminal. By default Vault address is set to HTTPS, since we are using dev server we need to set it to HTTP version. - Verify server is running and reachable by running
vault status.
Important things about this server:
- TLS is not supported
- Backend for secrets/passwords is in-memory
- Is not a server ready for production environments
Goal: To know more about Vault operations.
-
Run
vault write secret/hello value=world3 -
Run
vault read secret/hello. Stored secrets will be shown. -
Add -format=json to previous sentence to get output as json
-
Run
vault delete secret/hello. Delete secret
Spring Vault is a framework from Spring that provides familiar Spring abstractions and client-side support for accessing, storing and revoking secrets interacting with Vault.
- @VaultPropertySource annotation to enable loading secrets from Vault
- EnvironmentVaultConfiguration which is an AutoConfiguration class for creating a context for Vault (connection, authentication)
- VaultTemplate which is a class that provides methods for Vault common operations (write, read, delete)
- Create a secret on your local vault server
- Open the exercise1 folder in your IDE.
- Complete the missing code for reading the Vault secret.
- Make sure to print to standard output the value Vault returns.
- Open the exercise2 folder in your IDE.
- Complete the missing code for reading, writing and delete a Vault secret.
- Run and make sure it's working. Verify in Vault local server
A backend in Vault is a strategy to create/read/store a secret. There are several backends already built-in but ton of them are coming.
Existent backends:
- AWS
- Consul
- Database
- Generic
- RabbitMQ
- SSH, etc
A dynamic secret is a secret which is generated by a backend on demand. It is not static, it can be revoked at any time or auto-revoked.
-
Run
vault mount database. Now the database backend is mounted atdatabasepath. -
Follow the next instructions according the Database Management System you are using. MySQL instance click here. PostgreSQL instance click here.
-
Now, create a user/password using the database backend. Run
vault read database/creds/readonlyto get a fully functional credentials. -
Verify that you can connect to database using the returned credentials.
For this exercise you will need to had setup a database backend in your vault server as mentioned in previous steps
- Open exercise3 folder in your IDE.
- Complete the missing code and verify how it gets a new database user each time.
To seal a vault means it can't be accessed anymore until it gets unsealed again.
- Run
vault sealto seal the vault - Try to run of the exercises above and see what happens
- Run
vault unsealtto unseal the vault
Vault supports different types of authentication. The most common are listed below:
- Token
- Username/password
- Github
- AWS
- AppId / AppRole
- LDAP
- TLS certificates