LATEST VERSION: 1.4 - CHANGELOG
Spring Cloud Services v1.4

Configuring with Vault

Page last updated:

Overview

HashiCorp Vault is a secrets management tool, which encrypts and stores credentials, API keys, and other secrets for use in distributed systems. It provides support for access control lists, secret revocation, auditing, and leases and renewals, and includes special capabilities for common infrastructure and systems such as AWS, MySQL, and RabbitMQ, among others. For more information about Vault, see the documentation.

Spring Cloud Config provides a Vault backend so that the Spring Cloud Config Server can serve configuration stored in Vault. The Spring Cloud Services Config Server supports this backend and can serve configuration stored in Vault to client applications which have been given access to the Vault server (this includes provision of a Vault access token for the client application).

Important: Spring Cloud Services does not provide a HashiCorp Vault server. You must provide your own Vault server in order to use Config Server with Vault.

See below for information about configuring a Config Server service instance to use a HashiCorp Vault server for a configuration source.

General Configuration

Parameters used to configure a configuration source are part of a JSON object called vault, as in {"vault": { "host": "127.0.0.1", "port": "8200" } }.

Important: The Spring Cloud Services Config Server supports only one Vault backend, so only one vault object is permitted in the configuration parameters.

General parameters used to configure a Config Server configuration source are listed below.

Parameter Function
host The host of the Vault server
port The port of the Vault server
scheme The URI scheme used in accessing the Vault server (default value: http)
backend The name of the Vault backend from which to retrieve configuration (default value: secret)
defaultKey The default key from which to retrieve configuration (default value: application)
profileSeparator The value used to separate profiles (default value: ,)

The value of defaultKey is masked in the Config Server dashboard.

For information about writing a client application that accesses configuration values from a Config Server which has been configured to use Vault, see the Use a HashiCorp Vault Server section of the Writing Client Applications topic.

HTTP(S) Proxy Repository Access

You can configure a Config Server service instance to access a configuration source using an HTTP or HTTPS proxy. To do so, you must provide proxy settings in either of the vault.proxy.http or vault.proxy.https JSON objects. You can set the proxy host and port, the proxy username and password (if applicable), and a list of hosts which the Config Server should access outside of the proxy.

Settings for an HTTP proxy are set in the vault.proxy.http object. These might be set as shown in the following JSON:

'{"vault": { "proxy": { "http": { "host": "proxy.wise.com", "port": "80" } } } }'

Settings for an HTTPS proxy are set in the vault.proxy.https object. These might be set as shown in the following JSON:

'{"vault": { "proxy": { "https": { "host": "secure.wise.com", "port": "443" } } } }'

Note: Some networks require that separate proxy servers are used for HTTP and HTTPS URLs. In such a case, you can set both the proxy.http and proxy.https objects.

The parameters used to configure HTTP or HTTPS proxy settings for the Config Server are listed below.

Parameter Function
proxy.http A proxy object, containing HTTP proxy fields
proxy.http.host The HTTP proxy host
proxy.http.port The HTTP proxy port
proxy.http.nonProxyHosts The hosts to access outside the HTTP proxy
proxy.http.username The username to use with an authenticated HTTP proxy
proxy.http.password The password to use with an authenticated HTTP proxy
proxy.https A proxy object, containing HTTPS proxy fields
proxy.https.host The HTTPS proxy host
proxy.https.port The HTTPS proxy port
proxy.https.nonProxyHosts The hosts to access outside the HTTPS proxy (if proxy.http.nonProxyHosts is also provided, http.nonProxyHosts will be used instead of https.nonProxyHosts)
proxy.https.username The username to use with an authenticated HTTPS proxy (if proxy.http.username is also provided, http.username will be used instead of https.username)
proxy.https.password The password to use with an authenticated HTTPS proxy (if proxy.http.password is also provided, http.password will be used instead of https.password)

To configure a Config Server service instance that uses an HTTP proxy to access a configuration source, use the following JSON object:

'{"vault": { "host": "127.0.0.1", "port": "8200", "proxy": { "http": { "host": "proxy.wise.com", "port": "80" } } } }'

To configure a Config Server service instance that uses an authenticated HTTPS proxy to access a configuration source, specifying that example.com should be accessed outside of the proxy, use the following JSON object:

'{"vault": { "host": "127.0.0.1", "port": "8200", "proxy": { "https": { "host": "secure.wise.com", "port": "443", "username": "jim", "password": "wright62", "nonProxyHosts": "example.com" } } } }'
Create a pull request or raise an issue on the source for this page in GitHub