Secret Backends

  • AWS

  • Consul

  • RabbitMQ

  • Database

  • Multiple Databases

  • Secret Backend Implementations

  • PropertySource

  • VaultConfigurer :description: 此文档介绍了 Spring Cloud Vault 支持的多种方法,用于从各种后端秘密源获取秘密,包括:

    • 键值后端(版本化和非版本化)

    • Consul

    • RabbitMQ

    • AWS

    • 数据库后端(Cassandra、Couchbase、Elasticsearch、MongoDB、MySQL、PostgreSQL)

    • 发现的后端

    • 可自定义的后端(通过实施接口)

Key-Value Backend

Spring Cloud Vault 同时支持键值秘密后端,即版本化(v2)和非版本化(v1)。键值后端允许以键值存储的形式存储任意值。一个上下文可以存储一个或多个键值元组。上下文可以按层次组织。Spring Cloud Vault 本身确定秘密是否使用版本控制并将路径映射到其相应的 URL。Spring Cloud Vault 允许结合活动配置文件使用应用程序名称和默认上下文名称(application)。

Spring Cloud Vault supports both Key-Value secret backends, the versioned (v2) and unversioned (v1). The key-value backend allows storage of arbitrary values as key-value store. A single context can store one or many key-value tuples. Contexts can be organized hierarchically. Spring Cloud Vault determines itself whether a secret is using versioning and maps the path to its appropriate URL. Spring Cloud Vault allows using the Application name, and a default context name (application) in combination with active profiles.

/secret/{application}/{profile}
/secret/{application}
/secret/{default-context}/{profile}
/secret/{default-context}

应用程序名称由以下属性确定:

The application name is determined by the properties:

  • spring.cloud.vault.kv.application-name

  • spring.cloud.vault.application-name

  • spring.application.name

活动配置文件由以下属性确定:

The profiles are determined by the properties:

  • spring.cloud.vault.kv.profiles

  • spring.profiles.active

可以通过将秘密路径添加到应用程序名称(以逗号分隔)来从键值后端中的其他上下文中获取秘密。例如,给定应用程序名称 usefulapp,mysql1,projectx/aws,将使用如下每个文件夹:

Secrets can be obtained from other contexts within the key-value backend by adding their paths to the application name, separated by commas. For example, given the application name usefulapp,mysql1,projectx/aws, each of these folders will be used:

  • /secret/usefulapp

  • /secret/mysql1

  • /secret/projectx/aws

Spring Cloud Vault 将所有活动配置文件添加到可行上下文路径列表中。活动配置文件不会跳过访问具有配置文件名的上下文。

Spring Cloud Vault adds all active profiles to the list of possible context paths. No active profiles will skip accessing contexts with a profile name.

属性的显示方式与它们的存储方式相同(即没有其他前缀)。

Properties are exposed like they are stored (i.e. without additional prefixes).

Spring Cloud Vault 会在装载路径和实际上下文路径之间添加 data/ 上下文,具体取决于装载是否使用版本化键值后端。

Spring Cloud Vault adds the data/ context between the mount path and the actual context path depending on whether the mount uses the versioned key-value backend.

 
spring.cloud.vault:
    kv:
        enabled: true
        backend: secret
        profile-separator: '/'
        default-context: application
        application-name: my-app
        profiles: local, cloud

  • enabled setting this value to false disables the secret backend config usage

  • backend sets the path of the secret mount to use

  • default-context sets the context name used by all applications

  • application-name overrides the application name for use in the key-value backend

  • profiles overrides the active profiles for use in the key-value backend

  • profile-separator separates the profile name from the context in property sources with profiles

键值机密后端可在版本化 (v2) 和非版本化 (v1) 模式下运行。

The key-value secret backend can be operated in versioned (v2) and non-versioned (v1) modes.

另请参阅:

See also:

Consul

Spring Cloud Vault 可以获取 HashiCorp Consul 凭据。Consul 集成需要依赖项 spring-cloud-vault-config-consul

Spring Cloud Vault can obtain credentials for HashiCorp Consul. The Consul integration requires the spring-cloud-vault-config-consul dependency.

pom.xml
<dependencies>
    <dependency>
        <groupId>org.springframework.cloud</groupId>
        <artifactId>spring-cloud-vault-config-consul</artifactId>
        <version>{project-version}</version>
    </dependency>
</dependencies>

可以通过设置 spring.cloud.vault.consul.enabled=true(默认为 false)并使用 spring.cloud.vault.consul.role=… 提供角色名称来启用集成。

The integration can be enabled by setting spring.cloud.vault.consul.enabled=true (default false) and providing the role name with spring.cloud.vault.consul.role=….

获取的令牌存储在 spring.cloud.consul.token 中,因此,使用 Spring Cloud Consul 无需进一步配置即可获取生成的凭据。可以通过设置 spring.cloud.vault.consul.token-property 来配置属性名称。

The obtained token is stored in spring.cloud.consul.token so using Spring Cloud Consul can pick up the generated credentials without further configuration. You can configure the property name by setting spring.cloud.vault.consul.token-property.

spring.cloud.vault:
    consul:
        enabled: true
        role: readonly
        backend: consul
        token-property: spring.cloud.consul.token

  • enabled setting this value to true enables the Consul backend config usage

  • role sets the role name of the Consul role definition

  • backend sets the path of the Consul mount to use

  • token-property sets the property name in which the Consul ACL token is stored

另请参阅: Vault Documentation: Setting up Consul with Vault

See also: Vault Documentation: Setting up Consul with Vault

RabbitMQ

Spring Cloud Vault 可以获取 RabbitMQ 凭据。

Spring Cloud Vault can obtain credentials for RabbitMQ.

RabbitMQ 集成需要依赖项 spring-cloud-vault-config-rabbitmq

The RabbitMQ integration requires the spring-cloud-vault-config-rabbitmq dependency.

pom.xml
<dependencies>
    <dependency>
        <groupId>org.springframework.cloud</groupId>
        <artifactId>spring-cloud-vault-config-rabbitmq</artifactId>
        <version>{project-version}</version>
    </dependency>
</dependencies>

可以通过设置 spring.cloud.vault.rabbitmq.enabled=true(默认为 false)并使用 spring.cloud.vault.rabbitmq.role=… 提供角色名称来启用集成。

The integration can be enabled by setting spring.cloud.vault.rabbitmq.enabled=true (default false) and providing the role name with spring.cloud.vault.rabbitmq.role=….

用户名和密码存储在 spring.rabbitmq.usernamespring.rabbitmq.password 中,因此使用 Spring Boot 无需进一步配置即可获取生成的凭证。你可以通过设置 spring.cloud.vault.rabbitmq.username-propertyspring.cloud.vault.rabbitmq.password-property 来配置属性名称。

Username and password are stored in spring.rabbitmq.username and spring.rabbitmq.password so using Spring Boot will pick up the generated credentials without further configuration. You can configure the property names by setting spring.cloud.vault.rabbitmq.username-property and spring.cloud.vault.rabbitmq.password-property.

spring.cloud.vault:
    rabbitmq:
        enabled: true
        role: readonly
        backend: rabbitmq
        username-property: spring.rabbitmq.username
        password-property: spring.rabbitmq.password

  • enabled setting this value to true enables the RabbitMQ backend config usage

  • role sets the role name of the RabbitMQ role definition

  • backend sets the path of the RabbitMQ mount to use

  • username-property sets the property name in which the RabbitMQ username is stored

  • password-property sets the property name in which the RabbitMQ password is stored

另请参阅: Vault Documentation: Setting up RabbitMQ with Vault

See also: Vault Documentation: Setting up RabbitMQ with Vault

AWS

Spring Cloud Vault 可以获取 AWS 凭证。

Spring Cloud Vault can obtain credentials for AWS.

AWS 集成需要 spring-cloud-vault-config-aws 依赖项。

The AWS integration requires the spring-cloud-vault-config-aws dependency.

pom.xml
<dependencies>
    <dependency>
        <groupId>org.springframework.cloud</groupId>
        <artifactId>spring-cloud-vault-config-aws</artifactId>
        <version>{project-version}</version>
    </dependency>
</dependencies>

可以通过设置 spring.cloud.vault.aws=true(默认 false)并通过 spring.cloud.vault.aws.role=… 提供角色名称来启用该集成。

The integration can be enabled by setting spring.cloud.vault.aws=true (default false) and providing the role name with spring.cloud.vault.aws.role=….

受支持的 AWS 凭证类型:

Supported AWS credential Types:

  • iam_user (Defaults)

  • assumed_role (STS)

  • federation_token (STS)

访问密钥和秘密密钥存储在 cloud.aws.credentials.accessKeycloud.aws.credentials.secretKey 中。因此,使用 Spring Cloud AWS 无需进一步配置即可获取生成的凭证。

The access key and secret key are stored in cloud.aws.credentials.accessKey and cloud.aws.credentials.secretKey. So using Spring Cloud AWS will pick up the generated credentials without further configuration.

你可以通过设置 spring.cloud.vault.aws.access-key-propertyspring.cloud.vault.aws.secret-key-property 来配置属性名称。

You can configure the property names by setting spring.cloud.vault.aws.access-key-property and spring.cloud.vault.aws.secret-key-property.

对于 STS 安全令牌,你可以通过设置 spring.cloud.vault.aws.session-token-key-property 来配置属性名称。安全令牌存储在 cloud.aws.credentials.sessionToken(默认)下。

For STS security token, you can configure the property name by setting spring.cloud.vault.aws.session-token-key-property. The security token is stored under cloud.aws.credentials.sessionToken (defaults).

示例:iam_user

Example: iam_user

spring.cloud.vault:
    aws:
        enabled: true
        role: readonly
        backend: aws
        access-key-property: cloud.aws.credentials.accessKey
        secret-key-property: cloud.aws.credentials.secretKey

示例:assumed_role(STS)

Example: assumed_role (STS)

spring.cloud.vault:
    aws:
        enabled: true
        role: sts-vault-role
        backend: aws
        credential-type: assumed_role
        access-key-property: cloud.aws.credentials.accessKey
        secret-key-property: cloud.aws.credentials.secretKey
        session-token-key-property: cloud.aws.credentials.sessionToken
        ttl: 3600s
        role-arn: arn:aws:iam::${AWS_ACCOUNT}:role/sts-app-role

  • enabled setting this value to true enables the AWS backend config usage

  • role sets the role name of the AWS role definition

  • backend sets the path of the AWS mount to use

  • access-key-property sets the property name in which the AWS access key is stored

  • secret-key-property sets the property name in which the AWS secret key is stored

  • session-token-key-property sets the property name in which the AWS STS security token is stored.

  • credential-type sets the aws credential type to use for this backend. Defaults to iam_user

  • ttl sets the ttl for the STS token when using assumed_role or federation_token. Defaults to the ttl specified by the vault role. Min/Max values are also limited to what AWS would support for STS.

  • role-arn sets the IAM role to assume if more than one are configured for the vault role when using assumed_role.

另请参阅: Vault Documentation: Setting up AWS with Vault

See also: Vault Documentation: Setting up AWS with Vault

Database backends

Vault 支持多个数据库秘密后端,以便根据已配置的角色动态生成数据库凭证。这意味着不再需要访问数据库的服务配置凭证:它们可以从 Vault 请求凭证,并使用 Vault 的租赁机制更轻松地滚动密钥。

Vault supports several database secret backends to generate database credentials dynamically based on configured roles. This means services that need to access a database no longer need to configure credentials: they can request them from Vault, and use Vault’s leasing mechanism to more easily roll keys.

Spring Cloud Vault 与这些后端集成:

Spring Cloud Vault integrates with these backends:

使用数据库秘密后端需要在配置和 spring-cloud-vault-config-databases 依赖项中启用该后端。

Using a database secret backend requires to enable the backend in the configuration and the spring-cloud-vault-config-databases dependency.

Vault 自 0.7.1 开始提供了一个专用的 database 秘密后端,该后端允许通过插件进行数据库集成。你可以使用通用数据库后端来使用该特定后端。确保指定适当的后端路径,例如 spring.cloud.vault.mysql.role.backend=database

Vault ships since 0.7.1 with a dedicated database secret backend that allows database integration via plugins. You can use that specific backend by using the generic database backend. Make sure to specify the appropriate backend path, e.g. spring.cloud.vault.mysql.role.backend=database.

pom.xml
<dependencies>
    <dependency>
        <groupId>org.springframework.cloud</groupId>
        <artifactId>spring-cloud-vault-config-databases</artifactId>
        <version>{project-version}</version>
    </dependency>
</dependencies>

启用多个 JDBC 兼容数据库会生成凭证并将其存储在默认情况下相同的属性键中,因此 JDBC 机密需要分别配置属性名称。

Enabling multiple JDBC-compliant databases will generate credentials and store them by default in the same property keys hence property names for JDBC secrets need to be configured separately.

Database

Spring Cloud Vault 可以获取 [role="bare"][role="bare"]https://www.vaultproject.io/api/secret/databases/index.html中列出的任何数据库的凭证。可以通过设置 spring.cloud.vault.database.enabled=true`启用集成(默认为 `false),并使用 `spring.cloud.vault.database.role=…`提供角色名称。

Spring Cloud Vault can obtain credentials for any database listed at [role="bare"]https://www.vaultproject.io/api/secret/databases/index.html. The integration can be enabled by setting spring.cloud.vault.database.enabled=true (default false) and providing the role name with spring.cloud.vault.database.role=….

虽然数据库后端是一个通用后端,但 spring.cloud.vault.database 特别针对 JDBC 数据库。用户名和密码可通过 spring.datasource.usernamespring.datasource.password 属性获取,因此无需进一步配置,使用 Spring Boot 即可获取为 DataSource 生成的凭证。你可以通过设置 spring.cloud.vault.database.username-propertyspring.cloud.vault.database.password-property 来配置属性名称。

While the database backend is a generic one, spring.cloud.vault.database specifically targets JDBC databases. Username and password are available from spring.datasource.username and spring.datasource.password properties so using Spring Boot will pick up the generated credentials for your DataSource without further configuration. You can configure the property names by setting spring.cloud.vault.database.username-property and spring.cloud.vault.database.password-property.

spring.cloud.vault:
    database:
        enabled: true
        role: readonly
        backend: database
        username-property: spring.datasource.username
        password-property: spring.datasource.password

Multiple Databases

有时,单个数据库的凭证还不够,因为应用程序可能连接到两个或更多同类数据库。从版本 3.0.5 开始,Spring Vault 支持在 spring.cloud.vault.databases.* 命名空间下配置多个数据库秘密后端。

Sometimes, credentials for a single database isn’t sufficient because an application might connect to two or more databases of the same kind. Beginning with version 3.0.5, Spring Vault supports the configuration of multiple database secret backends under the spring.cloud.vault.databases.* namespace.

该配置接受多个数据库后端,以便将凭证具体化到指定的属性中。确保适当地配置 username-propertypassword-property

The configuration accepts multiple database backends to materialize credentials into the specified properties. Make sure to configure username-property and password-property appropriately.

spring.cloud.vault:
    databases:
        primary:
            enabled: true
            role: readwrite
            backend: database
            username-property: spring.primary-datasource.username
            password-property: spring.primary-datasource.password
        other-database:
            enabled: true
            role: readonly
            backend: database
            username-property: spring.secondary-datasource.username
            password-property: spring.secondary-datasource.password

  • <name> descriptive name of the database configuration.

  • <name>.enabled setting this value to true enables the Database backend config usage

  • <name>.role sets the role name of the Database role definition

  • <name>.backend sets the path of the Database mount to use

  • <name>.username-property sets the property name in which the Database username is stored. Make sure to use unique property names to avoid property shadowing.

  • <name>.password-property sets the property name in which the Database password is stored Make sure to use unique property names to avoid property shadowing.

另请参阅: Vault Documentation: Database Secrets backend

See also: Vault Documentation: Database Secrets backend

当达到最长租期时,Spring Cloud Vault 不支持获取新凭证并用它们配置您的 DataSource。也就是说,如果 Vault 中数据库角色的 max_ttl 设置为 24h,这意味着您的应用程序启动 24 小时后将无法再使用数据库进行身份验证。

Spring Cloud Vault does not support getting new credentials and configuring your DataSource with them when the maximum lease time has been reached. That is, if max_ttl of the Database role in Vault is set to 24h that means that 24 hours after your application has started it can no longer authenticate with the database.

Apache Cassandra

cassandra 后端已在 Vault 0.7.1 中弃用,建议使用 database 后端并将其装载为 cassandra

The cassandra backend has been deprecated in Vault 0.7.1 and it is recommended to use the database backend and mount it as cassandra.

Spring Cloud Vault 可以获取 Apache Cassandra 的凭据。可以通过设置`spring.cloud.vault.cassandra.enabled=true`(默认值为 false)并使用 spring.cloud.vault.cassandra.role=… 提供角色名来启用集成。

Spring Cloud Vault can obtain credentials for Apache Cassandra. The integration can be enabled by setting spring.cloud.vault.cassandra.enabled=true (default false) and providing the role name with spring.cloud.vault.cassandra.role=….

用户名和密码可以从 spring.data.cassandra.usernamespring.data.cassandra.password 属性中获得,因此使用 Spring Boot 可以在不进行进一步配置的情况下获取生成的凭据。可以通过设置 spring.cloud.vault.cassandra.username-propertyspring.cloud.vault.cassandra.password-property 来配置属性名称。

Username and password are available from spring.data.cassandra.username and spring.data.cassandra.password properties so using Spring Boot will pick up the generated credentials without further configuration. You can configure the property names by setting spring.cloud.vault.cassandra.username-property and spring.cloud.vault.cassandra.password-property.

spring.cloud.vault:
    cassandra:
        enabled: true
        role: readonly
        backend: cassandra
        username-property: spring.data.cassandra.username
        password-property: spring.data.cassandra.password

  • enabled setting this value to true enables the Cassandra backend config usage

  • role sets the role name of the Cassandra role definition

  • backend sets the path of the Cassandra mount to use

  • username-property sets the property name in which the Cassandra username is stored

  • password-property sets the property name in which the Cassandra password is stored

另请参阅: Vault Documentation: Setting up Apache Cassandra with Vault

See also: Vault Documentation: Setting up Apache Cassandra with Vault

Couchbase Database

Spring Cloud Vault 可以获取 Couchbase 的凭据。可以通过设置`spring.cloud.vault.couchbase.enabled=true`(默认值为 false)并使用 spring.cloud.vault.couchbase.role=… 提供角色名来启用集成。

Spring Cloud Vault can obtain credentials for Couchbase. The integration can be enabled by setting spring.cloud.vault.couchbase.enabled=true (default false) and providing the role name with spring.cloud.vault.couchbase.role=….

用户名和密码可以从 spring.couchbase.usernamespring.couchbase.password 属性中获得,因此使用 Spring Boot 可以在不进行进一步配置的情况下获取生成的凭据。可以通过设置 spring.cloud.vault.couchbase.username-propertyspring.cloud.vault.couchbase.password-property 来配置属性名称。

Username and password are available from spring.couchbase.username and spring.couchbase.password properties so using Spring Boot will pick up the generated credentials without further configuration. You can configure the property names by setting spring.cloud.vault.couchbase.username-property and spring.cloud.vault.couchbase.password-property.

spring.cloud.vault:
    couchbase:
        enabled: true
        role: readonly
        backend: database
        username-property: spring.couchbase.username
        password-property: spring.couchbase.password

  • enabled setting this value to true enables the Couchbase backend config usage

  • role sets the role name of the Couchbase role definition

  • backend sets the path of the Couchbase mount to use

  • username-property sets the property name in which the Couchbase username is stored

  • password-property sets the property name in which the Couchbase password is stored

另请参阅: Couchbase Database Plugin Documentation

See also: Couchbase Database Plugin Documentation

Elasticsearch

Spring Cloud Vault 可以从版本 3.0 获取 Elasticsearch 的凭据。可以通过设置 spring.cloud.vault.elasticsearch.enabled=true(默认值为 false)并使用 spring.cloud.vault.elasticsearch.role=… 提供角色名来启用集成。

Spring Cloud Vault can obtain since version 3.0 credentials for Elasticsearch. The integration can be enabled by setting spring.cloud.vault.elasticsearch.enabled=true (default false) and providing the role name with spring.cloud.vault.elasticsearch.role=….

用户名和密码可以从 spring.elasticsearch.rest.usernamespring.elasticsearch.rest.password 属性中获得,因此使用 Spring Boot 可以在不进行进一步配置的情况下获取生成的凭据。可以通过设置 spring.cloud.vault.elasticsearch.username-propertyspring.cloud.vault.elasticsearch.password-property 来配置属性名称。

Username and password are available from spring.elasticsearch.rest.username and spring.elasticsearch.rest.password properties so using Spring Boot will pick up the generated credentials without further configuration. You can configure the property names by setting spring.cloud.vault.elasticsearch.username-property and spring.cloud.vault.elasticsearch.password-property.

spring.cloud.vault:
    elasticsearch:
        enabled: true
        role: readonly
        backend: mongodb
        username-property: spring.elasticsearch.rest.username
        password-property: spring.elasticsearch.rest.password

  • enabled setting this value to true enables the Elasticsearch database backend config usage

  • role sets the role name of the Elasticsearch role definition

  • backend sets the path of the Elasticsearch mount to use

  • username-property sets the property name in which the Elasticsearch username is stored

  • password-property sets the property name in which the Elasticsearch password is stored

另请参阅: Vault Documentation: Setting up Elasticsearch with Vault

See also: Vault Documentation: Setting up Elasticsearch with Vault

MongoDB

mongodb 后端已在 Vault 0.7.1 中弃用,建议使用 database 后端并将其装载为 mongodb

The mongodb backend has been deprecated in Vault 0.7.1 and it is recommended to use the database backend and mount it as mongodb.

Spring Cloud Vault 可以获取 MongoDB 的凭据。可以通过设置`spring.cloud.vault.mongodb.enabled=true`(默认值为 false)并使用 spring.cloud.vault.mongodb.role=… 提供角色名来启用集成。

Spring Cloud Vault can obtain credentials for MongoDB. The integration can be enabled by setting spring.cloud.vault.mongodb.enabled=true (default false) and providing the role name with spring.cloud.vault.mongodb.role=….

用户名和密码存储在 spring.data.mongodb.usernamespring.data.mongodb.password 中,因此使用 Spring Boot 可以在不进行进一步配置的情况下获取生成的凭据。可以通过设置 spring.cloud.vault.mongodb.username-propertyspring.cloud.vault.mongodb.password-property 来配置属性名称。

Username and password are stored in spring.data.mongodb.username and spring.data.mongodb.password so using Spring Boot will pick up the generated credentials without further configuration. You can configure the property names by setting spring.cloud.vault.mongodb.username-property and spring.cloud.vault.mongodb.password-property.

spring.cloud.vault:
    mongodb:
        enabled: true
        role: readonly
        backend: mongodb
        username-property: spring.data.mongodb.username
        password-property: spring.data.mongodb.password

  • enabled setting this value to true enables the MongodB backend config usage

  • role sets the role name of the MongoDB role definition

  • backend sets the path of the MongoDB mount to use

  • username-property sets the property name in which the MongoDB username is stored

  • password-property sets the property name in which the MongoDB password is stored

另请参阅: Vault Documentation: Setting up MongoDB with Vault

See also: Vault Documentation: Setting up MongoDB with Vault

MySQL

mysql 后端已在 Vault 0.7.1 中弃用,建议使用 database 后端并将其装载为 mysql。对 spring.cloud.vault.mysql 的配置将在未来版本中删除。

The mysql backend has been deprecated in Vault 0.7.1 and it is recommended to use the database backend and mount it as mysql. Configuration for spring.cloud.vault.mysql will be removed in a future version.

Spring Cloud Vault 可以获取 MySQL 的凭据。可以通过设置`spring.cloud.vault.mysql.enabled=true`(默认值为 false)并使用 spring.cloud.vault.mysql.role=… 提供角色名来启用集成。

Spring Cloud Vault can obtain credentials for MySQL. The integration can be enabled by setting spring.cloud.vault.mysql.enabled=true (default false) and providing the role name with spring.cloud.vault.mysql.role=….

用户名和密码可以从 spring.datasource.usernamespring.datasource.password 属性中获得,因此使用 Spring Boot 可以在不进行进一步配置的情况下获取生成的凭据。可以通过设置`spring.cloud.vault.mysql.username-property` 和 spring.cloud.vault.mysql.password-property 来配置属性名称。

Username and password are available from spring.datasource.username and spring.datasource.password properties so using Spring Boot will pick up the generated credentials without further configuration. You can configure the property names by setting spring.cloud.vault.mysql.username-property and spring.cloud.vault.mysql.password-property.

spring.cloud.vault:
    mysql:
        enabled: true
        role: readonly
        backend: mysql
        username-property: spring.datasource.username
        password-property: spring.datasource.password

  • enabled setting this value to true enables the MySQL backend config usage

  • role sets the role name of the MySQL role definition

  • backend sets the path of the MySQL mount to use

  • username-property sets the property name in which the MySQL username is stored

  • password-property sets the property name in which the MySQL password is stored

另请参阅: Vault Documentation: Setting up MySQL with Vault

See also: Vault Documentation: Setting up MySQL with Vault

PostgreSQL

postgresql 后端已在 Vault 0.7.1 中弃用,建议使用 database 后端并将其装载为 postgresql。对 spring.cloud.vault.postgresql 的配置将在未来版本中删除。

The postgresql backend has been deprecated in Vault 0.7.1 and it is recommended to use the database backend and mount it as postgresql. Configuration for spring.cloud.vault.postgresql will be removed in a future version.

Spring Cloud Vault 可以获取 PostgreSQL 的凭据。可以通过设置 spring.cloud.vault.postgresql.enabled=true(默认值为 false)并使用 spring.cloud.vault.postgresql.role=… 提供角色名来启用集成。

Spring Cloud Vault can obtain credentials for PostgreSQL. The integration can be enabled by setting spring.cloud.vault.postgresql.enabled=true (default false) and providing the role name with spring.cloud.vault.postgresql.role=….

用户名和密码可以从 spring.datasource.usernamespring.datasource.password 属性中获得,因此使用 Spring Boot 可以在不进行进一步配置的情况下获取生成的凭据。可以通过设置 spring.cloud.vault.postgresql.username-propertyspring.cloud.vault.postgresql.password-property 来配置属性名称。

Username and password are available from spring.datasource.username and spring.datasource.password properties so using Spring Boot will pick up the generated credentials without further configuration. You can configure the property names by setting spring.cloud.vault.postgresql.username-property and spring.cloud.vault.postgresql.password-property.

spring.cloud.vault:
    postgresql:
        enabled: true
        role: readonly
        backend: postgresql
        username-property: spring.datasource.username
        password-property: spring.datasource.password

  • enabled setting this value to true enables the PostgreSQL backend config usage

  • role sets the role name of the PostgreSQL role definition

  • backend sets the path of the PostgreSQL mount to use

  • username-property sets the property name in which the PostgreSQL username is stored

  • password-property sets the property name in which the PostgreSQL password is stored

另请参阅: Vault Documentation: Setting up PostgreSQL with Vault

See also: Vault Documentation: Setting up PostgreSQL with Vault

Customize which secret backends to expose as PropertySource

Spring Cloud Vault 使用基于属性的配置为键值和已发现 secret 后端创建 PropertySource

Spring Cloud Vault uses property-based configuration to create `PropertySource`s for key-value and discovered secret backends.

发现的后端提供 VaultSecretBackendDescriptor bean,以描述配置状态,以便将秘密后端用作 PropertySource。需要 SecretBackendMetadataFactory 来创建一个 SecretBackendMetadata 对象,其中包含路径、名称和属性转换配置。

Discovered backends provide VaultSecretBackendDescriptor beans to describe the configuration state to use secret backend as PropertySource. A SecretBackendMetadataFactory is required to create a SecretBackendMetadata object which contains path, name and property transformation configuration.

SecretBackendMetadata 用于支持一个特定的 PropertySource

SecretBackendMetadata is used to back a particular PropertySource.

你可以注册一个 VaultConfigurer 以进行自定义。如果你提供了 VaultConfigurer,则禁用默认键值和发现后端的注册。但是,你可以使用 SecretBackendConfigurer.registerDefaultKeyValueSecretBackends()SecretBackendConfigurer.registerDefaultDiscoveredSecretBackends() 启用默认注册。

You can register a VaultConfigurer for customization. Default key-value and discovered backend registration is disabled if you provide a VaultConfigurer. You can however enable default registration with SecretBackendConfigurer.registerDefaultKeyValueSecretBackends() and SecretBackendConfigurer.registerDefaultDiscoveredSecretBackends().

public class CustomizationBean implements VaultConfigurer {

    @Override
    public void addSecretBackends(SecretBackendConfigurer configurer) {

        configurer.add("secret/my-application");

        configurer.registerDefaultKeyValueSecretBackends(false);
        configurer.registerDefaultDiscoveredSecretBackends(true);
    }
}
SpringApplication application = new SpringApplication(MyApplication.class);
application.addBootstrapper(VaultBootstrapper.fromConfigurer(new CustomizationBean()));

Custom Secret Backend Implementations

Spring Cloud Vault 适用于最常见的后端集成,随附秘密后端支持。你可以通过提供一种实现来描述如何从你想要使用的后端获取数据以及如何通过提供 PropertyTransformer 展示该后端提供的数据,与任何种类的后端集成。

Spring Cloud Vault ships with secret backend support for the most common backend integrations. You can integrate with any kind of backend by providing an implementation that describes how to obtain data from the backend you want to use and how to surface data provided by that backend by providing a PropertyTransformer.

为后端添加自定义实现需要实现以下两个接口:

Adding a custom implementation for a backend requires implementation of two interfaces:

  • org.springframework.cloud.vault.config.VaultSecretBackendDescriptor

  • org.springframework.cloud.vault.config.SecretBackendMetadataFactory

VaultSecretBackendDescriptor 通常是一个保存配置数据的对象,例如 VaultDatabaseProperties。Spring Cloud Vault 需要你的类型用 @ConfigurationProperties 注释,以便从配置中具体化类。

VaultSecretBackendDescriptor is typically an object that holds configuration data, such as VaultDatabaseProperties. Spring Cloud Vault requires that your type is annotated with @ConfigurationProperties to materialize the class from the configuration.

SecretBackendMetadataFactory 接受 VaultSecretBackendDescriptor 来创建实际的 SecretBackendMetadata 对象,此对象保存了 Vault 服务器中的上下文路径、解析参数化上下文路径时需要的任何路径变量和 PropertyTransformer

SecretBackendMetadataFactory accepts VaultSecretBackendDescriptor to create the actual SecretBackendMetadata object which holds the context path within your Vault server, any path variables required to resolve parametrized context paths and PropertyTransformer.

VaultSecretBackendDescriptorSecretBackendMetadataFactory 类型都必须在 spring.factories 中注册,spring.factories 是 Spring 提供的一个扩展机制,类似于 Java 的 ServiceLoader。

Both, VaultSecretBackendDescriptor and SecretBackendMetadataFactory types must be registered in spring.factories which is an extension mechanism provided by Spring, similar to Java’s ServiceLoader.