Pivotal has announced the general availability of Spring Vault 1.0. It is a Java library which offers client-side abstractions around Hashicorp Vault, a secret management tool. Following typical Spring idioms, it allows Vault to be more easily integrated into Spring or Java applications. Some familiar patterns include templating, property sources, and more.
Hashicorp Vault is a tool which provides developers with a secure means of accessing and storing secrets such as API tokens, SSL certificates and passwords. It also handles access control for users, with the ability to revoke and roll tokens. On top of this, there is also auditing functionality which allows tracking of users.
Java developers who want to adopt Vault would typically be presented with a choice of the CLI or the API. Thus, when calling Vault from the JVM it's likely that developers would choose the API and implement their own client library. Spring Vault removes the need for developers to do this themselves, by providing one as an open source project. It is also backed by a commercial enterprise, Pivotal.
Although not dependent on Spring itself, the high-level design principles and abstractions are familiar, together with the aim to reduce boilerplate code for the developer. This means the framework should be particularly straightforward for Spring developers to adopt, as well as the typical Java developer.
In order to interact with Vault, Spring Vault makes use of the central class VaultTemplate. Aiming to be synonymous to the Vault CLI and API, it offers familiar operations such as "write", "read", "delete" and "revoke":
Secret toWrite = new Secret("foo");
vaultTemplate.write("mysecret/myapp", toWrite);
VaultResponseSupport<Secret> toRead = vaultTemplate.read("mysecret/myapp", Secret.class);
vaultTemplate.delete("mysecret/myapp");
Through the use of the @VaultPropertySource annotation, a declarative mechanism is given which allows Spring Vault to implicitly map secrets to Java objects:
@VaultPropertySource(value = "foo/creds", propertyNamePrefix = "foo")
public class SomeConfig {
// ...
}
public class MyProperties {
@Value("${foo.username}")
private String awsAccessKey;
@Value("${foo.password}")
private String awsSecretKey;
// ...
}
The library also supports multiple authentication mechanisms: AppId, AppRole, AWS EC2, TLS Certificates, and Cubbyhole. By providing these through implementations of a ClientAuthentication class, it means a Java developer is provided with scaffolding to a more easily setup initial login.
The need to manage sessions is also handled by the framework through a SessionManager class. This means tasks such as renewing tokens, revoking on disposal are automated, and not required to be done explicitly by the application code, again removing some additional development overhead.
Additional details can be found in the official documentation, with the library being available for download in Maven Central, and the source code available on GitHub.