Configuring Spring Cloud Vault Config to pull from a location other than /secret

Question

I am currently integrating Spring Cloud Vault Config into a Spring Boot application. From the home page:

Spring Cloud Vault Config reads config properties from Vaults using the application name and active profiles:

/secret/{application}/{profile}
/secret/{application}
/secret/{default-context}/{profile}
/secret/{default-context}

I would like to instead provide my own location from which to pull properties from Vault which does not start with /secret (e.g. /deployments/prod). I've been looking through the reference documentation but I haven't found anyway to specify this -- is it possible?

Answer 1

I solved the same problem in my Kotlin project. But it works in Java too.

Problem

I wanted to specify vault paths in yaml config, so i ended up with the following solution, that allows you to specify paths directly in bootstrap.yml using clear syntax, as:

spring:
  cloud:
    vault:
      paths: "secret/your-app"

Solution:

1. Create VaultConfig class in your project, with the following content:

package com.your.app.configuration

import org.springframework.beans.factory.annotation.Value
import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty
import org.springframework.cloud.vault.config.VaultConfigurer
import org.springframework.context.annotation.Bean
import org.springframework.context.annotation.Configuration

@Configuration
@ConditionalOnProperty(
    prefix = "spring.cloud.vault", value = ["paths"],
    matchIfMissing = false
)
class VaultConfig {

    @Value("\${spring.cloud.vault.paths}")
    private lateinit var paths: List<String>

    @Bean
    fun configurer(): VaultConfigurer {
        return VaultConfigurer { configurer ->
            paths.forEach {
                configurer.add(it)
            }
            configurer.registerDefaultGenericSecretBackends(false)
            configurer.registerDefaultDiscoveredSecretBackends(false)
        }
    }
}

2. Create spring.factories file in src/main/resources/META-INF/spring.factories with a content:

org.springframework.cloud.bootstrap.BootstrapConfiguration=com.your.app.configuration.VaultConfig

Don't forget to specify valid reference to your config instead of com.your.app.configuration.VaultConfig

spring.factories allows your VaultConfig

happen in the bootstrap context, as documentation says.

3. Now you can specify desired paths in your bootstrap.yml, as follows:

spring:
  cloud:
    vault:
      paths: 
        - "secret/application"
        - "secret/your-app"

And it should work.

Answer 2

It should be done this way.

Have a Configuration class

@Configuration
public class VaultConfiguration {

    @Bean
    public VaultConfigurer configurer() {
        return new VaultConfigurer() {
            @Override
            public void addSecretBackends(SecretBackendConfigurer configurer) {
                configurer.add("secret/my-app/path-1");
                configurer.add("secret/my-app/path-2");

                configurer.registerDefaultGenericSecretBackends(false);
            }
        };
    }
}

This way you can scan your secrets placed in custom path

Regards Arun

Answer 3

I was able to use the Generic Backend properties to massage the paths into what I was looking for. Something like:

spring.cloud.vault:
    generic:
        enabled: true
        backend: deployments
        profile-separator: '/'
        default-context: prod
        application-name: my-app

This will also unfortunately pickup Vault locations like deployments/my-app and deployments/prod/activeProfile so be careful not to have any properties in these locations that you don't want to be picked up.

It looks like there is a desire (and an implementation) to allow for these paths to be specified more programmatically.