Hashi Corp KV Secrets Manager integration with SpringBoot Application

Securing your secrets inside application is not an easy task. Typically applications deployed to multiple environments, and developers have to maintain separate credentials for each environment in configuration files, if there is no encryption mechanism (most of the time :( ) those username and passwords or secrets for token generation (API keys), database connections are stored as plain text. If there is a security breach, sensitive data can be compromised and lose millions of your business, because of not having encryption in place.

To address this there are various solutions available in the market. The most popular ones are the AWS Secret Manager, HashiCorp, Google Cloud KMS etc. Most of these services provide Authorization to secret vaults, Verification of Usage of Keys, Encryption data at rest, Automated Key Rotation etc. Selecting a suitable application is depend on your requirement of the organization or by the features of the service. If you are using AWS and deployed your application is cloud, AWS Secret Manager is one best possibility, since the management overhead is minimal. But for some companies which having serious security concerns, they tend to use on premise solution, and Hashi Corp can be a suitable choice. 

The scope of this post is to how to configure and use HashiCorp KV Secret Engine, and consume those secrets inside a SpringBoot application.

Image source - https://www.vaultproject.io/

Configuring the Hashi Corp Vault.
1. Download the community version from [1]. https://www.vaultproject.io/downloads.html
2. Extract and set the path to the vault bin

export PATH=$PATH:/home/aruna/vault/bin

3. Start the vault with dev configuration

vault server --dev --dev-root-token-id="12345678" // use secure token to seed

 4. Now open another terminal and put some secrets to the vault, In KV secrets engine version 2 write operation has changed to put.

export PATH=$PATH:/home/aruna/vault/bin
vault kv put secret/my-secret username=spring-user password=se3ret

5. You can test the values are saved to vault using following curl command.

 curl --header "X-Vault-Token: 12345678"        http://127.0.0.1:8200/v1/secret/data/my-secret

      If the request is a success should get the below response.

{  
   "request_id":"b0a0f055-3eed-b3c1-353f-427de8f61bcd",
   "lease_id":"",
   "renewable":false,
   "lease_duration":0,
   "data":{  
      "data":{  
         "password":"se3ret",
         "username":"spring-user"
      },
      "metadata":{  
         "created_time":"2018-11-14T09:21:46.812937558Z",
         "deletion_time":"",
         "destroyed":false,
         "version":2
      }
   },
   "wrap_info":null,
   "warnings":null,
   "auth":null
}

More about the rest API can be found here.
[2]. https://www.vaultproject.io/api/secret/kv/kv-v2.html

Setting up the SpringBoot project to consume the secret stored above.

Add the following properties to your bootstrap.properties file. Before starting the application, these values should be injected to the spring vault to work.

spring.application.name=my-secret // name of the KV secrets engine
spring.cloud.vault.token=12345678 //token value set for server
spring.cloud.vault.scheme=http
spring.cloud.vault.kv.enabled=true

Then load the properties as follows.

@ConfigurationProperties
public class SecretConfiguration {

    private String username;
    private String password;

    public String getUsername() {
        return username;
    }

    public void setUsername(String username) {
        this.username = username;
    }

    public String getPassword() 
        return password;
    }

    public void setPassword(String password) {
        this.password = password;
    }
}

Full sample can be found here. [3]. https://github.com/arunasujith/hashi-corp-vault-sample
That's it for this article, hope you to see you in another exciting post.