Authentication methods

不同的组织对安全和身份验证有不同的需求。Vault 通过提供多种身份验证方法来反映这种需求。Spring Cloud Vault 支持令牌和 AppId 身份验证。

Different organizations have different requirements for security and authentication. Vault reflects that need by shipping multiple authentication methods. Spring Cloud Vault supports token and AppId authentication.

Token authentication

令牌是 Vault 中的身份验证核心方法。令牌身份验证需要提供一个静态令牌来使用配置。作为后备，也可以从 `~/.vault-token`中检索令牌，这是 Vault CLI 用于缓存令牌的默认位置。

Tokens are the core method for authentication within Vault. Token authentication requires a static token to be provided using the configuration. As a fallback, the token may also be retrieved from ~/.vault-token which is the default location used by the Vault CLI to cache tokens.

令牌验证是默认验证方法。如果公开了一个令牌，则未经计划的一方可以访问 Vault 并可以访问目标客户端的机密。

Token authentication is the default authentication method. If a token is disclosed an unintended party gains access to Vault and can access secrets for the intended client.

application.yml

spring.cloud.vault:
    authentication: TOKEN
    token: 00000000-0000-0000-0000-000000000000

authentication setting this value to TOKEN selects the Token authentication method
token sets the static token to use. If missing or empty, then an attempt will be made to retrieve a token from ~/.vault-token.

另请参阅：

See also:

Vault Agent authentication

Vault 从 0.11.0 版本开始使用 Vault Agent 提供了 Sidecar 实用程序。Vault Agent 通过其自动身份验证功能实现了 Spring Vault 的`SessionManager`功能。应用程序可以通过依赖于在 localhost 上运行的 Vault Agent 来重用缓存会话凭证。Spring Vault 可以在没有请求的`X-Vault-Token`标题的情况下发送请求。禁用 Spring Vault 的身份验证基础设施以禁用客户端身份验证和会话管理。

Vault ships a sidecar utility with Vault Agent since version 0.11.0. Vault Agent implements the functionality of Spring Vault’s SessionManager with its Auto-Auth feature. Applications can reuse cached session credentials by relying on Vault Agent running on localhost. Spring Vault can send requests without the X-Vault-Token header. Disable Spring Vault’s authentication infrastructure to disable client authentication and session management.

application.yml

spring.cloud.vault:
    authentication: NONE

authentication setting this value to NONE disables ClientAuthentication and SessionManager.

另请参见： Vault Documentation: Agent

AppId authentication

Vault 支持 AppId 身份验证，该身份验证由两个难以猜测的令牌组成。AppId 默认值为以静态方式配置的 spring.application.name。第二个令牌是 UserId，它是由应用程序确定的一部分，通常与运行时环境相关。IP 地址、Mac 地址或 Docker 容器名称是不错的示例。Spring Cloud Vault Config 支持 IP 地址、Mac 地址和静态 UserId（例如通过系统属性提供）。IP 和 Mac 地址表示为经过十六进制编码的 SHA256 哈希。

Vault supports AppId authentication that consists of two hard to guess tokens. The AppId defaults to spring.application.name that is statically configured. The second token is the UserId which is a part determined by the application, usually related to the runtime environment. IP address, Mac address or a Docker container name are good examples. Spring Cloud Vault Config supports IP address, Mac address and static UserId’s (e.g. supplied via System properties). The IP and Mac address are represented as Hex-encoded SHA256 hash.

基于 IP 地址的 UserId 使用本地主机的 IP 地址。

IP address-based UserId’s use the local host’s IP address.

application.yml using SHA256 IP-Address UserId’s

spring.cloud.vault:
    authentication: APPID
    app-id:
        user-id: IP_ADDRESS

authentication setting this value to APPID selects the AppId authentication method
app-id-path sets the path of the AppId mount to use
user-id sets the UserId method. Possible values are IP_ADDRESS, MAC_ADDRESS or a class name implementing a custom AppIdUserIdMechanism

从命令行生成 IP 地址 UserId 的相应命令为：

The corresponding command to generate the IP address UserId from a command line is:

$ echo -n 192.168.99.1 | sha256sum

包含 echo 的换行符会导致不同的哈希值，因此请确保包含 -n 标志。

Including the line break of echo leads to a different hash value so make sure to include the -n flag.

基于 Mac 地址的 UserId 从本地主机绑定的设备中获取其网络设备。配置还允许指定 network-interface 提示以选择正确的设备。network-interface 的值是可选的，并且可以是接口名称或接口索引（基于 0）。

Mac address-based UserId’s obtain their network device from the localhost-bound device. The configuration also allows specifying a network-interface hint to pick the right device. The value of network-interface is optional and can be either an interface name or interface index (0-based).

application.yml using SHA256 Mac-Address UserId’s

spring.cloud.vault:
    authentication: APPID
    app-id:
        user-id: MAC_ADDRESS
        network-interface: eth0

network-interface sets network interface to obtain the physical address

从命令行生成 IP 地址 UserId 的相应命令为：

The corresponding command to generate the IP address UserId from a command line is:

$ echo -n 0AFEDE1234AC | sha256sum

指定 Mac 地址时以大写字母指定且不带冒号。包含 echo 的换行符会导致不同的哈希值，因此请确保包含 -n 标志。

The Mac address is specified uppercase and without colons. Including the line break of echo leads to a different hash value so make sure to include the -n flag.

Custom UserId

UserId 生成是一种开放机制。您可以将`spring.cloud.vault.app-id.user-id` 设置为任意字符串，且配置的值将被用作静态 UserId。

The UserId generation is an open mechanism. You can set spring.cloud.vault.app-id.user-id to any string and the configured value will be used as static UserId.

更高级的方法允许您将 spring.cloud.vault.app-id.user-id 设置为类名。此类必须在您的类路径中，并且必须实现 org.springframework.cloud.vault.AppIdUserIdMechanism 接口和 createUserId 方法。Spring Cloud Vault 将通过每次使用 AppId 验证以获取 Token 时调用 createUserId 来获取 UserId。

A more advanced approach lets you set spring.cloud.vault.app-id.user-id to a classname. This class must be on your classpath and must implement the org.springframework.cloud.vault.AppIdUserIdMechanism interface and the createUserId method. Spring Cloud Vault will obtain the UserId by calling createUserId each time it authenticates using AppId to obtain a token.

application.yml

spring.cloud.vault:
    authentication: APPID
    app-id:
        user-id: com.examlple.MyUserIdMechanism

MyUserIdMechanism.java

public class MyUserIdMechanism implements AppIdUserIdMechanism {

  @Override
  public String createUserId() {
    String userId = ...
    return userId;
  }
}

另请参见： Vault Documentation: Using the App ID auth backend

AppRole authentication

AppRole 旨在用于机器身份验证，例如不再使用的 (自 Vault 0.6.1 起) AppId authentication。AppRole 身份验证由两个难以猜测的（秘密）令牌组成：RoleId 和 SecretId。

AppRole is intended for machine authentication, like the deprecated (since Vault 0.6.1) AppId authentication. AppRole authentication consists of two hard to guess (secret) tokens: RoleId and SecretId.

Spring Vault 支持各种 AppRole 场景（推送/拉取模式和包装）。

Spring Vault supports various AppRole scenarios (push/pull mode and wrapped).

配置必须提供 RoleId 和可选 SecretId，Spring Vault 不会查找这些内容或创建自定义 SecretId。

RoleId and optionally SecretId must be provided by configuration, Spring Vault will not look up these or create a custom SecretId.

application.yml with AppRole authentication properties

spring.cloud.vault:
    authentication: APPROLE
    app-role:
        role-id: bde2076b-cccb-3cf0-d57e-bca7b1e83a52

支持以下场景以及必需的配置详细信息：

The following scenarios are supported along the required configuration details:

Table 1. Configuration
Method	RoleId	SecretId	RoleName	Token
Provided RoleId/SecretId	Provided	Provided
Provided RoleId without SecretId	Provided
Provided RoleId, Pull SecretId	Provided		Provided	Provided
Pull RoleId, provided SecretId		Provided	Provided	Provided
Full Pull Mode			Provided	Provided
Wrapped				Provided
Wrapped RoleId, provided SecretId		Provided		Provided
Provided RoleId, wrapped SecretId	Provided			Provided

Table 2. Pull/Push/Wrapped Matrix
RoleId	SecretId	Supported
Provided	Provided	✅
Provided	Pull	✅
Provided	Wrapped	✅
Provided	Absent	✅
Pull	Provided	✅
Pull	Pull	✅
Pull	Wrapped	❌
Pull	Absent	❌
Wrapped	Provided	✅
Wrapped	Pull	❌
Wrapped	Wrapped	✅
Wrapped	Absent	❌

你可以通过在上下文中提供一个配置过的 AppRoleAuthentication bean 来仍然使用推/拉/封装模式的所有组合。Spring Cloud Vault 不能从配置属性中推导出所有可能的 AppRole 组合。

You can use still all combinations of push/pull/wrapped modes by providing a configured AppRoleAuthentication bean within the context. Spring Cloud Vault cannot derive all possible AppRole combinations from the configuration properties.

AppRole 验证仅限于使用响应式基础设施的简单拉取模式。尚未支持完全拉取模式。将 Spring Cloud Vault 和 Spring WebFlux 堆栈一起使用将启用 Vault 的响应式自动配置，可以通过设置 spring.cloud.vault.reactive.enabled=false 来禁用此功能。

AppRole authentication is limited to simple pull mode using reactive infrastructure. Full pull mode is not yet supported. Using Spring Cloud Vault with the Spring WebFlux stack enables Vault’s reactive auto-configuration which can be disabled by setting spring.cloud.vault.reactive.enabled=false.

application.yml with all AppRole authentication properties

spring.cloud.vault:
    authentication: APPROLE
    app-role:
        role-id: bde2076b-cccb-3cf0-d57e-bca7b1e83a52
        secret-id: 1696536f-1976-73b1-b241-0b4213908d39
        role: my-role
        app-role-path: approle

role-id sets the RoleId.
secret-id sets the SecretId. SecretId can be omitted if AppRole is configured without requiring SecretId (See bind_secret_id).
role: sets the AppRole name for pull mode.
app-role-path sets the path of the approle authentication mount to use.

另请参见： Vault Documentation: Using the AppRole auth backend

AWS-EC2 authentication

aws-ec2 身份验证后端为 AWS EC2 实例提供了一种安全的引入机制，允许自动检索 Vault 令牌。与大多数 Vault 身份验证后端不同，此后端不需要首先部署或配置安全敏感凭据（令牌、用户名/密码、客户端证书等）。相反，它将 AWS 视为受信任的第三方，并使用加密签名的动态元数据信息来唯一表示每个 EC2 实例。

The aws-ec2 auth backend provides a secure introduction mechanism for AWS EC2 instances, allowing automated retrieval of a Vault token. Unlike most Vault authentication backends, this backend does not require first-deploying, or provisioning security-sensitive credentials (tokens, username/password, client certificates, etc.). Instead, it treats AWS as a Trusted Third Party and uses the cryptographically signed dynamic metadata information that uniquely represents each EC2 instance.

application.yml using AWS-EC2 Authentication

spring.cloud.vault:
    authentication: AWS_EC2

AWS-EC2 身份验证默认启用随机数，以遵循首次使用信任 (TOFU) 原则。任何意外获得 PKCS#7 标识元数据访问权限的一方都可以针对 Vault 进行身份验证。

AWS-EC2 authentication enables nonce by default to follow the Trust On First Use (TOFU) principle. Any unintended party that gains access to the PKCS#7 identity metadata can authenticate against Vault.

在首次登录期间，Spring Cloud Vault 会生成一个随机数，该随机数与实例 ID 一起存储在身份验证后端中。重新验证需要发送相同的随机数。任何其他方都没有随机数，并且可以在 Vault 中发出警报以作进一步调查。

During the first login, Spring Cloud Vault generates a nonce that is stored in the auth backend aside the instance Id. Re-authentication requires the same nonce to be sent. Any other party does not have the nonce and can raise an alert in Vault for further investigation.

随机数保存在内存中，并且在应用程序重新启动期间丢失。您可以使用 spring.cloud.vault.aws-ec2.nonce 配置一个静态随机数。

The nonce is kept in memory and is lost during application restart. You can configure a static nonce with spring.cloud.vault.aws-ec2.nonce.

AWS-EC2 身份验证角色是可选的，且默认为 AMI。您可以通过设置`spring.cloud.vault.aws-ec2.role`属性来配置身份验证角色。

AWS-EC2 authentication roles are optional and default to the AMI. You can configure the authentication role by setting the spring.cloud.vault.aws-ec2.role property.

application.yml with configured role

spring.cloud.vault:
    authentication: AWS_EC2
    aws-ec2:
        role: application-server

application.yml with all AWS EC2 authentication properties

spring.cloud.vault:
    authentication: AWS_EC2
    aws-ec2:
        role: application-server
        aws-ec2-path: aws-ec2
        identity-document: http://...
        nonce: my-static-nonce

authentication setting this value to AWS_EC2 selects the AWS EC2 authentication method
role sets the name of the role against which the login is being attempted.
aws-ec2-path sets the path of the AWS EC2 mount to use
identity-document sets URL of the PKCS#7 AWS EC2 identity document
nonce used for AWS-EC2 authentication. An empty nonce defaults to nonce generation

另请参阅： Vault Documentation: Using the aws auth backend

AWS-IAM authentication

aws后端为 AWS IAM 角色提供一种安全的身份验证机制，允许基于运行应用程序的当前 IAM 角色与 Vault 进行自动身份验证。与大多数 Vault 身份验证后端不同，此后端不需要先部署或预配安全敏感凭据（令牌、用户名/密码、客户端证书等）。它将 AWS 视为受信任的第三方，并使用由调用者使用其 IAM 凭据签名的 4 条信息来验证该调用者确实正在使用该 IAM 角色。

The aws backend provides a secure authentication mechanism for AWS IAM roles, allowing the automatic authentication with vault based on the current IAM role of the running application. Unlike most Vault authentication backends, this backend does not require first-deploying, or provisioning security-sensitive credentials (tokens, username/password, client certificates, etc.). Instead, it treats AWS as a Trusted Third Party and uses the 4 pieces of information signed by the caller with their IAM credentials to verify that the caller is indeed using that IAM role.

应用程序正在运行的当前 IAM 角色会自动计算。如果您在 AWS ECS 上运行应用程序，那么应用程序将使用分配给正在运行的容器的 ECS 任务的 IAM 角色。如果您在 EC2 实例上单独运行应用程序，那么使用的 IAM 角色将是分配给 EC2 实例的角色。

The current IAM role the application is running in is automatically calculated. If you are running your application on AWS ECS then the application will use the IAM role assigned to the ECS task of the running container. If you are running your application naked on top of an EC2 instance then the IAM role used will be the one assigned to the EC2 instance.

使用 AWS-IAM 身份验证时，你必须在 Vault 中创建一个角色并将其分配给你的 IAM 角色。一个空 角色 默认会使用当前 IAM 角色友好名称。

When using the AWS-IAM authentication you must create a role in Vault and assign it to your IAM role. An empty role defaults to the friendly name the current IAM role.

application.yml with required AWS-IAM Authentication properties

spring.cloud.vault:
    authentication: AWS_IAM

application.yml with all AWS-IAM Authentication properties

spring.cloud.vault:
    authentication: AWS_IAM
    aws-iam:
        region: aws-global
        role: my-dev-role
        aws-path: aws
        server-name: some.server.name
        endpoint-uri: https://sts.eu-central-1.amazonaws.com

region sets the name of the AWS region. If not supplied, the region will be determined by AWS defaults.
role sets the name of the role against which the login is being attempted. This should be bound to your IAM role. If one is not supplied then the friendly name of the current IAM user will be used as the vault role.
aws-path sets the path of the AWS mount to use
server-name sets the value to use for the X-Vault-AWS-IAM-Server-ID header preventing certain types of replay attacks.
endpoint-uri sets the value to use for the AWS STS API used for the iam_request_url parameter.

AWS-IAM 需要 AWS Java SDK v2 依赖项 (software.amazon.awssdk:auth)，因为身份验证实现使用 AWS SDK 类型来进行凭据和请求签名的。

AWS-IAM requires the AWS Java SDK v2 dependency (software.amazon.awssdk:auth) as the authentication implementation uses AWS SDK types for credentials and request signing.

另请参阅： Vault Documentation: Using the aws auth backend

Azure MSI authentication

azure auth 后端为 Azure VM 实例提供安全引入机制，它允许自动检索 Vault 令牌。与大多数 Vault 身份验证后端不同，此后端不要求首先部署或提供安全敏感凭据（令牌、用户名/密码、客户端证书等）。相反，它将 Azure 视为第三方授权并使用可以绑定到 VM 实例的托管服务标识和实例元数据信息。

The azure auth backend provides a secure introduction mechanism for Azure VM instances, allowing automated retrieval of a Vault token. Unlike most Vault authentication backends, this backend does not require first-deploying, or provisioning security-sensitive credentials (tokens, username/password, client certificates, etc.). Instead, it treats Azure as a Trusted Third Party and uses the managed service identity and instance metadata information that can be bound to a VM instance.

application.yml with required Azure Authentication properties

spring.cloud.vault:
    authentication: AZURE_MSI
    azure-msi:
        role: my-dev-role

application.yml with all Azure Authentication properties

spring.cloud.vault:
    authentication: AZURE_MSI
    azure-msi:
        role: my-dev-role
        azure-path: azure
        metadata-service: http://169.254.169.254/metadata/instance…
        identity-token-service: http://169.254.169.254/metadata/identity…

role sets the name of the role against which the login is being attempted.
azure-path sets the path of the Azure mount to use
metadata-service sets the URI at which to access the instance metadata service
identity-token-service sets the URI at which to access the identity token service

Azure MSI 身份验证从实例元数据服务中获取有关虚拟机的环境详细信息（订阅 ID、资源组、VM 名称）。Vault 服务器的 Resource Id 默认为 https://vault.hashicorp.com。若要更改此设置，请相应设置 spring.cloud.vault.azure-msi.identity-token-service。

Azure MSI authentication obtains environmental details about the virtual machine (subscription Id, resource group, VM name) from the instance metadata service. The Vault server has Resource Id defaults to https://vault.hashicorp.com. To change this, set spring.cloud.vault.azure-msi.identity-token-service accordingly.

另请参阅：

See also:

TLS certificate authentication

cert auth 后端允许使用 SSL/TLS 客户端证书进行身份验证，这些证书可以由 CA 签名或自签名。

The cert auth backend allows authentication using SSL/TLS client certificates that are either signed by a CA or self-signed.

若要启用 cert 身份验证，你需要：

To enable cert authentication you need to:

Use SSL, see Vault Client SSL configuration
Configure a Java Keystore that contains the client certificate and the private key
Set the spring.cloud.vault.authentication to CERT

application.yml

spring.cloud.vault:
    authentication: CERT
    ssl:
        key-store: classpath:keystore.jks
        key-store-password: changeit
        key-store-type: JKS
        cert-auth-path: cert

另请参阅： Vault Documentation: Using the Cert auth backend

Cubbyhole authentication

Cubbyhole 身份验证使用 Vault 原语来提供安全的身份验证工作流。Cubbyhole 身份验证使用令牌作为主要登录方法。使用临时令牌从 Vault 的 Cubbyhole secret 后端获取第二个登录 Vault 令牌。登录令牌通常使用时间较长，用于与 Vault 进行交互。登录令牌将从存储在 /cubbyhole/response 中的包装响应中检索。

Cubbyhole authentication uses Vault primitives to provide a secured authentication workflow. Cubbyhole authentication uses tokens as primary login method. An ephemeral token is used to obtain a second, login VaultToken from Vault’s Cubbyhole secret backend. The login token is usually longer-lived and used to interact with Vault. The login token will be retrieved from a wrapped response stored at /cubbyhole/response.

创建包装令牌 *

Creating a wrapped token

令牌创建的响应封装要求 Vault 0.6.0 或更高版本。

Response Wrapping for token creation requires Vault 0.6.0 or higher.

Creating and storing tokens

$ vault token-create -wrap-ttl="10m"
Key                            Value
---                            -----
wrapping_token:                397ccb93-ff6c-b17b-9389-380b01ca2645
wrapping_token_ttl:            0h10m0s
wrapping_token_creation_time:  2016-09-18 20:29:48.652957077 +0200 CEST
wrapped_accessor:              46b6aebb-187f-932a-26d7-4f3d86a68319

application.yml

spring.cloud.vault:
    authentication: CUBBYHOLE
    token: 397ccb93-ff6c-b17b-9389-380b01ca2645

另请参阅：

See also:

GCP-GCE authentication

gcp身份验证后端允许使用现有的 GCP（Google Cloud Platform）IAM 和 GCE 凭证登录 Vault。

The gcp auth backend allows Vault login by using existing GCP (Google Cloud Platform) IAM and GCE credentials.

GCP GCE（Google Compute Engine）验证会创建 JSON Web 令牌 (JWT) 格式的签名以用于服务帐户。Compute Engine 实例的 JWT 可通过 Instance identification从 GCE 元数据服务获取。此 API 创建可以用于确认实例身份的 JSON Web 令牌。

GCP GCE (Google Compute Engine) authentication creates a signature in the form of a JSON Web Token (JWT) for a service account. A JWT for a Compute Engine instance is obtained from the GCE metadata service using Instance identification. This API creates a JSON Web Token that can be used to confirm the instance identity.

与大多数 Vault 身份验证后端不同，此后端不需要预先部署或设置安全敏感的凭据（令牌、用户名/密码、客户端证书等）。相反，它将 GCP 视为受信任的第三方，并使用加密签名的动态元数据信息，该信息唯一地表示每个 GCP 服务帐户。

Unlike most Vault authentication backends, this backend does not require first-deploying, or provisioning security-sensitive credentials (tokens, username/password, client certificates, etc.). Instead, it treats GCP as a Trusted Third Party and uses the cryptographically signed dynamic metadata information that uniquely represents each GCP service account.

application.yml with required GCP-GCE Authentication properties

spring.cloud.vault:
    authentication: GCP_GCE
    gcp-gce:
        role: my-dev-role

application.yml with all GCP-GCE Authentication properties

spring.cloud.vault:
    authentication: GCP_GCE
    gcp-gce:
        gcp-path: gcp
        role: my-dev-role
        service-account: my-service@projectid.iam.gserviceaccount.com

role sets the name of the role against which the login is being attempted.
gcp-path sets the path of the GCP mount to use
service-account allows overriding the service account Id to a specific value. Defaults to the default service account.

另请参阅：

See also:

GCP-IAM authentication

gcp身份验证后端允许使用现有的 GCP（Google Cloud Platform）IAM 和 GCE 凭证登录 Vault。

The gcp auth backend allows Vault login by using existing GCP (Google Cloud Platform) IAM and GCE credentials.

GCP IAM 身份验证会创建 JSON Web 令牌 (JWT) 格式的签名以用于服务帐户。通过调用 GCP IAM 的 projects.serviceAccounts.signJwtAPI，可获取服务帐户的 JWT。调用方通过 GCP IAM 进行身份验证，并以此证明其身份。此 Vault 后端将 GCP 视为受信任的第三方。

GCP IAM authentication creates a signature in the form of a JSON Web Token (JWT) for a service account. A JWT for a service account is obtained by calling GCP IAM’s projects.serviceAccounts.signJwt API. The caller authenticates against GCP IAM and proves thereby its identity. This Vault backend treats GCP as a Trusted Third Party.

IAM 凭证可以从运行时环境（特别是 GOOGLE_APPLICATION_CREDENTIALS环境变量）、Google Compute 元数据服务或外部提供（例如，JSON 或 base64 编码）获取。JSON 是首选形式，因为它携带了调用 `projects.serviceAccounts.signJwt`所需的项目 ID 和服务帐户标识符。

IAM credentials can be obtained from either the runtime environment , specifically the GOOGLE_APPLICATION_CREDENTIALS environment variable, the Google Compute metadata service, or supplied externally as e.g. JSON or base64 encoded. JSON is the preferred form as it carries the project id and service account identifier required for calling projects.serviceAccounts.signJwt.

application.yml with required GCP-IAM Authentication properties

spring.cloud.vault:
    authentication: GCP_IAM
    gcp-iam:
        role: my-dev-role

application.yml with all GCP-IAM Authentication properties

spring.cloud.vault:
    authentication: GCP_IAM
    gcp-iam:
        credentials:
            location: classpath:credentials.json
            encoded-key: e+KApn0=
        gcp-path: gcp
        jwt-validity: 15m
        project-id: my-project-id
        role: my-dev-role
        service-account-id: my-service@projectid.iam.gserviceaccount.com

role sets the name of the role against which the login is being attempted.
credentials.location path to the credentials resource that contains Google credentials in JSON format.
credentials.encoded-key the base64 encoded contents of an OAuth2 account private key in the JSON format.
gcp-path sets the path of the GCP mount to use
jwt-validity configures the JWT token validity. Defaults to 15 minutes.
project-id allows overriding the project Id to a specific value. Defaults to the project Id from the obtained credential.
service-account allows overriding the service account Id to a specific value. Defaults to the service account from the obtained credential.

GCP IAM 身份验证需要 Google Cloud Java SDK 依赖项 (com.google.apis:google-api-services-iam 和 com.google.auth:google-auth-library-oauth2-http)，因为身份验证实现使用 Google API 来进行凭据和 JWT 签名。

GCP IAM authentication requires the Google Cloud Java SDK dependency (com.google.apis:google-api-services-iam and com.google.auth:google-auth-library-oauth2-http) as the authentication implementation uses Google APIs for credentials and JWT signing.

Google 认证需要维护令牌生命周期的 OAuth 2 令牌。所有 API 同步，因此，GcpIamAuthentication 不支持 AuthenticationSteps，这是响应式用法所必需的。

Google credentials require an OAuth 2 token maintaining the token lifecycle. All API is synchronous therefore, GcpIamAuthentication does not support AuthenticationSteps which is required for reactive usage.

另请参阅：

See also:

Kubernetes authentication

Kubernetes 身份验证机制（从 Vault 0.8.3 起）允许使用 Kubernetes 服务帐户令牌向 Vault 进行身份验证。身份验证基于角色，该角色绑定到服务帐户名称和命名空间。

Kubernetes authentication mechanism (since Vault 0.8.3) allows to authenticate with Vault using a Kubernetes Service Account Token. The authentication is role based and the role is bound to a service account name and a namespace.

一个包含 pod 的服务帐户 JWT 令牌的文件会自动装载到 /var/run/secrets/kubernetes.io/serviceaccount/token。

A file containing a JWT token for a pod’s service account is automatically mounted at /var/run/secrets/kubernetes.io/serviceaccount/token.

application.yml with all Kubernetes authentication properties

spring.cloud.vault:
    authentication: KUBERNETES
    kubernetes:
        role: my-dev-role
        kubernetes-path: kubernetes
        service-account-token-file: /var/run/secrets/kubernetes.io/serviceaccount/token

role sets the Role.
kubernetes-path sets the path of the Kubernetes mount to use.
service-account-token-file sets the location of the file containing the Kubernetes Service Account Token. Defaults to /var/run/secrets/kubernetes.io/serviceaccount/token.

另请参阅：

See also:

Pivotal CloudFoundry authentication

pcf身份验证后端为运行在 Pivotal 的 CloudFoundry 实例内的应用程序提供了安全引入机制，允许自动检索 Vault 令牌。与大多数 Vault 身份验证后端不同，此后端不需要首先部署或提供对安全敏感的凭证（令牌、用户名/密码、客户端证书等），因为身份供应是由 PCF 本身处理的。相反，它将 PCF 视为受信任的第三方，并使用托管实例身份。

The pcf auth backend provides a secure introduction mechanism for applications running within Pivotal’s CloudFoundry instances allowing automated retrieval of a Vault token. Unlike most Vault authentication backends, this backend does not require first-deploying, or provisioning security-sensitive credentials (tokens, username/password, client certificates, etc.) as identity provisioning is handled by PCF itself. Instead, it treats PCF as a Trusted Third Party and uses the managed instance identity.

application.yml with required PCF Authentication properties

spring.cloud.vault:
    authentication: PCF
    pcf:
        role: my-dev-role

application.yml with all PCF Authentication properties

spring.cloud.vault:
    authentication: PCF
    pcf:
        role: my-dev-role
        pcf-path: path
        instance-certificate: /etc/cf-instance-credentials/instance.crt
        instance-key: /etc/cf-instance-credentials/instance.key

role sets the name of the role against which the login is being attempted.
pcf-path sets the path of the PCF mount to use.
instance-certificate sets the path to the PCF instance identity certificate. Defaults to ${CF_INSTANCE_CERT} env variable.
instance-key sets the path to the PCF instance identity key. Defaults to ${CF_INSTANCE_KEY} env variable.

PCF 身份验证需要 BouncyCastle (bcpkix-jdk15on) 位于类路径上，用于 RSA PSS 签名。

PCF authentication requires BouncyCastle (bcpkix-jdk15on) to be on the classpath for RSA PSS signing.

另请参阅： Vault Documentation: Using the pcf auth backend

ACL Requirements

此部分说明了 Spring Vault 访问的路径，以便你可以从所需的功能中推导出策略声明。

This section explains which paths are accessed by Spring Vault so you can derive your policy declarations from the required capabilities.

Capability Associated HTTP verbs

Capability	Associated HTTP verbs
create	`POST`/`PUT`
read	`GET`
update	`POST`/`PUT`
delete	`DELETE`
list	`LIST` (`GET`)

create

POST/PUT

read

GET

update

POST/PUT

delete

DELETE

list

LIST (GET)

另请参阅 [role="bare"][role="bare"]https://www.vaultproject.io/guides/identity/policies。

See also [role="bare"]https://www.vaultproject.io/guides/identity/policies.

Authentication

KeyValue Mount Discovery

GET sys/internal/ui/mounts/$mountPath

SecretLeaseContainer

SecretLeaseContainer 使用根据已配置租约端点而异的不同路径。

SecretLeaseContainer uses different paths depending on the configured lease endpoint.

LeaseEndpoints.Legacy

Revocation: PUT sys/revoke
Renewal: PUT sys/renew

LeaseEndpoints.Leases (SysLeases)

Revocation: PUT sys/leases/revoke
Renewal: PUT sys/leases/renew

Session Management

Token lookup: GET auth/token/lookup-self
Renewal: POST auth/token/renew-self
Revoke: POST auth/token/revoke-self