Unlocking Safe Secrets in Java Spring with Spring Vault

java

Unlocking Safe Secrets in Java Spring with Spring Vault

Streamlining Secret Management in Java Spring with Spring Vault for Enhanced Security

Oct 27, 2022

Unlocking Safe Secrets in Java Spring with Spring Vault

Managing secrets and sensitive configurations is a super important part of modern software development, especially when working with Java Spring applications. Enter Spring Vault, an extension of the Spring Framework that works hand-in-hand with HashiCorp’s Vault. Together, they offer a solid solution for securely storing and accessing secrets. Let’s dive into how to use Spring Vault to boost the security and manageability of your Java apps.

First off, let’s get a grip on what Spring Vault actually is. Designed to make it easier to integrate HashiCorp’s Vault into Spring-based apps, Spring Vault leverages the robust vault technology to securely store and access secrets like API keys, passwords, and certificates. By using Spring Vault, developers can ensure that sensitive data is handled both securely and efficiently in their applications.

So, how do you get started with Spring Vault? Well, you’ll need to add a couple of dependencies to your project. If you’re using Maven, make sure your pom.xml file includes:

<dependency>
    <groupId>org.springframework.cloud</groupId>
    <artifactId>spring-cloud-starter-vault-config</artifactId>
</dependency>
<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter</artifactId>
</dependency>

Next up, it’s time to configure Vault in your application properties file. You can do this in either application.properties or application.yml. Here’s a quick example:

spring.cloud.vault.uri=http://localhost:8200
spring.cloud.vault.token=my-root-token
spring.cloud.vault.kv.enabled=true
spring.cloud.vault.kv.backend=secret
spring.cloud.vault.kv.default-context=application
spring.cloud.vault.kv.profile-separator=-

This configuration sets up the Vault URI, token, and specifies the key-value backend and default context. It’s a good base to start securely managing your secrets.

To interact with Vault programmatically, create a VaultTemplate bean. This way, you can read and write secrets from Vault straightforwardly:

@Bean
public VaultTemplate vaultTemplate(VaultEndpointProvider endpointProvider, ClientAuthentication clientAuthentication) {
    return new VaultTemplate(endpointProvider, clientAuthentication);
}

Reading secrets from Vault becomes as easy as pie with the VaultTemplate bean in place. Here’s a quick example of retrieving a secret:

String secret = vaultTemplate.opsForKeyValue("secret", KeyValueBackend.KV_2).get("my-secret", String.class);

Now, there are some common pitfalls and best practices you should keep in mind. For instance, it’s crucial to properly manage Vault tokens. Ensure they’re securely stored and rotated regularly. Avoid hardcoding tokens in your source code; use environment variables or a secure vault for that instead.

When handling secrets, always ensure they’re managed securely. Never log secrets or expose them in error messages. Stick to secure coding practices to prevent any accidental exposure of sensitive data.

Proper access controls are another must. Implement fine-grained access controls to restrict who can access what secrets and what actions they can perform. Vault’s policies and roles will be your best friends here.

For those looking to get a bit more advanced, Spring Vault supports Dynamic Secrets. This is a fantastic feature, particularly for database credentials as it enables time-bound secrets that are automatically revoked after a period. Here’s a snippet illustrating how to retrieve dynamic database credentials:

public class DynamicSecretService {
    private final VaultTemplate vaultTemplate;

    @Autowired
    public DynamicSecretService(VaultTemplate vaultTemplate) {
        this.vaultTemplate = vaultTemplate;
    }

    public String getDatabaseCredentials() {
        return vaultTemplate.opsForDatabase().generateCredentials("database-role").getUsername();
    }
}

Another cool feature is leasing and renewing secrets. Vault leases secrets for a specific period and you can renew these leases to extend their validity. Here’s an example:

public class LeaseRenewalService {
    private final VaultTemplate vaultTemplate;

    @Autowired
    public LeaseRenewalService(VaultTemplate vaultTemplate) {
        this.vaultTemplate = vaultTemplate;
    }

    public void renewLease(String leaseId) {
        vaultTemplate.opsForLease().renew(leaseId);
    }
}

Now, integrating with Spring Cloud Config can be a game-changer, especially in microservice architectures where managing configurations with a centralized config server is crucial. Spring Cloud Config Server can store encrypted secrets using Vault as a backend. Here’s how you can set it up:

Create a Config Server Application using Spring Initializr API:

curl https://start.spring.io/starter.zip \
    -d type=maven-project \
    -d dependencies=cloud-config-server \
    -d groupId=com.example \
    -d artifactId=config-server \
    -d name="Config Server" \
    -d description="Demo project of a Spring Boot application with Vault protected secrets" \
    -d packageName=com.example.config > config-server.zip

Configure the application by editing the application.yml file for port and config search locations.

server:
  port: 8888
spring:
  profiles:
    active: native

Enable the Config Server by adding @EnableConfigServer annotation to your main application class:

@EnableConfigServer
@SpringBootApplication
public class ConfigServerApplication {
    public static void main(String[] args) {
        SpringApplication.run(ConfigServerApplication.class, args);
    }
}

Start Vault by pulling the Vault Docker image and starting a container:

docker pull hashicorp/vault
docker run --cap-add=IPC_LOCK \
    -e 'VAULT_DEV_ROOT_TOKEN_ID=00000000-0000-0000-0000-000000000000' \
    -p 8200:8200 \
    -v {hostPath}:/vault/logs \
    --name my-vault hashicorp/vault

To reload secrets from Vault without restarting the application, you can use Spring Cloud Vault to retrieve application properties from Vault’s key-value secrets engine. Here’s a way to do this:

Store secrets in Vault’s key-value secrets engine:

VAULT_TOKEN=vault-root-password VAULT_ADDR=http://127.0.0.1:8200 vault kv put kv/vault-static-secrets spring.datasource.password=postgres-admin-password spring.datasource.username=postgres

Configure Spring Cloud Vault in your Spring application:

@SpringBootApplication
public class VaultDynamicSecretsApplication {
    public static void main(String[] args) {
        SpringApplication.run(VaultDynamicSecretsApplication.class, args);
    }

    @Bean
    @RefreshScope
    public DataSource dataSource(DataSourceProperties properties) {
        var log = LogFactory.getLog(getClass());
        var db = DataSourceBuilder.create()
                .url(properties.getUrl())
                .username(properties.getUsername())
                .password(properties.getPassword())
                .build();
        log.info("Rebuild data source: " + properties.getUsername() + ',' + properties.getPassword());
        return db;
    }
}

Refresh the application context to get new credentials from Vault when they’re updated:

@Component
public class VaultRefresher {
    private final SecretLeaseContainer leaseContainer;

    @Autowired
    public VaultRefresher(SecretLeaseContainer leaseContainer) {
        this.leaseContainer = leaseContainer;
        leaseContainer.addLeaseListener(new SecretLeaseListener() {
            @Override
            public void onSecretLeaseExpired(SecretLeaseExpiredEvent event) {
                // Refresh application context to get new credentials from Vault
            }
        });
    }
}

By nailing these steps and following best practices, your Java Spring applications can manage secrets securely and efficiently using Spring Vault. This not only beefs up security but also eases the tricky task of managing sensitive configurations across different environments.