Reputation: 125
Use multiple vault server or use different vault token for different credetials
We have one spring boot application in which we are having multiple client database in application.properties file. We are now trying to use vault server and we have a requirement to keep database credentials separate from each other. Is there any way we can have multiple vault server or we can use different vault token for different credentials? Any help will be appreciated.
Upvotes: 0
Views: 193
Answers (1)
Reputation: 10171
Having a Vault per secret would keep them separated, but the burden of maintenance would be unmanageable. Here is my suggestion based on psychic debugging.
You must start by giving out as many Vault roles as there are things to separate. Basically you would have:
[Credentials] ---allow use of a---> [Role] ---can access---> [Secrets]
In a mature configuration, you would have dynamic and ephemeral application credentials and database secrets. But let's stick with static passwords for now.
With that in hand, you need to store each secret as a single secret. For example:
vault kv put secret/databases/marketing/database_1 username=scott password=tiger
You should not store all your passwords in a single secret like this:
$ vault kv get --format yaml --field passwords secret/databases
|
{
{ database_1: {username:"scott", passowrd: "tiger" }},
{ database_2: {username:"foo", passowrd: "blah" }},
{ database_3: {username:"bar", passowrd: "overflow" }}
}
With your secrets separated in storage, you can assign a policy to a role that will allow it to read a specific set of secrets (maybe even just one per application).
It requires some planning to keep your naming scheme flexible, but in the end the model will be:
[Credentials] ---(allow use of a)---> [Role] ---(can access)---> [Secrets]
|
(access controlled by a)
|
V
[Policy]
Assigning a policy to a path is how you separate secrets in a single Vault.
+FYI, Vault Enterprise give you namespaces to further enhance this scheme.
Upvotes: 0
Related Questions
- Failed to configure a DataSource: 'url' attribute is not specified and no embedded datasource could be configured
- Disable all Database related auto configuration in Spring Boot
- Override default Spring-Boot application.properties settings in Junit Test
- What's the safest way to get the Vault Token for local development with Spring Boot / Spring Cloud Vault
- Create a wrapped Token to access Hashicorp Vault | Spring Boot
- How to know the validity of a vault token that is being used for connecting to vault?
- How to implement Hashicorp's Vault with Spring Boot
- Properties are not read from Vault on Integrating Vault with Spring Cloud Config Server
- How to use non-root vault token for vault login in spring boot
- Use multiple ClientAuthentiation with spring-vault