Different organizations have different requirements for security and authentication. Vault reflects that need by shipping multiple authentication methods. Spring Cloud Vault supports token and AppId authentication.
Tokens are the core method for authentication within Vault. Token authentication requires a static token to be provided using the Bootstrap Application Context.
![[Note]](images/note.png) | Note |
|---|---|
Token authentication is the default authentication method. If a token is disclosed an unintended party gains access to Vault and can access secrets for the intended client. |
Example 3.1. bootstrap.yml
spring.cloud.vault: authentication: TOKEN token: 00000000-0000-0000-0000-000000000000
authenticationsetting this value toTOKENselects the Token authentication methodtokensets the static token to use
See also: Vault Documentation: Tokens
Vault supports AppId
authentication that consists of two hard to guess tokens. The AppId
defaults to spring.application.name that is statically configured.
The second token is the UserId which is a part determined by the application,
usually related to the runtime environment. IP address, Mac address or a
Docker container name are good examples. Spring Cloud Vault Config supports
IP address, Mac address and static UserId’s (e.g. supplied via System properties).
The IP and Mac address are represented as Hex-encoded SHA256 hash.
IP address-based UserId’s use the local host’s IP address.
Example 3.2. bootstrap.yml using SHA256 IP-Address UserId’s
spring.cloud.vault: authentication: APPID app-id: user-id: IP_ADDRESS
authenticationsetting this value toAPPIDselects the AppId authentication methodapp-id-pathsets the path of the AppId mount to useuser-idsets the UserId method. Possible values areIP_ADDRESS,MAC_ADDRESSor a class name implementing a customAppIdUserIdMechanism
The corresponding command to generate the IP address UserId from a command line is:
$ echo -n 192.168.99.1 | sha256sum
| Note |
|---|---|
Including the line break of |
Mac address-based UserId’s obtain their network device from the
localhost-bound device. The configuration also allows specifying
a network-interface hint to pick the right device. The value of
network-interface is optional and can be either an interface
name or interface index (0-based).
Example 3.3. bootstrap.yml using SHA256 Mac-Address UserId’s
spring.cloud.vault: authentication: APPID app-id: user-id: MAC_ADDRESS network-interface: eth0
network-interfacesets network interface to obtain the physical address
The corresponding command to generate the IP address UserId from a command line is:
$ echo -n 0AFEDE1234AC | sha256sum
| Note |
|---|---|
The Mac address is specified uppercase and without colons.
Including the line break of |
The UserId generation is an open mechanism. You can set
spring.cloud.vault.app-id.user-id to any string and the configured
value will be used as static UserId.
A more advanced approach lets you set spring.cloud.vault.app-id.user-id to a
classname. This class must be on your classpath and must implement
the org.springframework.cloud.vault.AppIdUserIdMechanism interface
and the createUserId method. Spring Cloud Vault will obtain the UserId
by calling createUserId each time it authenticates using AppId to
obtain a token.
Example 3.4. bootstrap.yml
spring.cloud.vault: authentication: APPID app-id: user-id: com.examlple.MyUserIdMechanism
Example 3.5. MyUserIdMechanism.java
public class MyUserIdMechanism implements AppIdUserIdMechanism { @Override public String createUserId() { String userId = ... return userId; } }
See also: Vault Documentation: Using the App ID auth backend
AppRole is intended for machine authentication, like the deprecated (since Vault 0.6.1) Section 3.2, “AppId authentication”. AppRole authentication consists of two hard to guess (secret) tokens: RoleId and SecretId.
Spring Vault supports various AppRole scenarios (push/pull mode and wrapped).
RoleId and optionally SecretId must be provided by configuration, Spring Vault will not look up these or create a custom SecretId.
Example 3.6. bootstrap.yml with AppRole authentication properties
spring.cloud.vault: authentication: APPROLE app-role: role-id: bde2076b-cccb-3cf0-d57e-bca7b1e83a52
The following scenarios are supported along the required configuration details:
Table 3.1. Configuration
Method | RoleId | SecretId | RoleName | Token |
Provided RoleId/SecretId | Provided | Provided | ||
Provided RoleId without SecretId | Provided | |||
Provided RoleId, Pull SecretId | Provided | Provided | Provided | Provided |
Pull RoleId, provided SecretId | Provided | Provided | Provided | |
Full Pull Mode | Provided | Provided | ||
Wrapped | Provided | |||
Wrapped RoleId, provided SecretId | Provided | Provided | ||
Provided RoleId, wrapped SecretId | Provided | Provided |
Table 3.2. Pull/Push/Wrapped Matrix
RoleId | SecretId | Supported |
Provided | Provided | ✅ |
Provided | Pull | ✅ |
Provided | Wrapped | ✅ |
Provided | Absent | ✅ |
Pull | Provided | ✅ |
Pull | Pull | ✅ |
Pull | Wrapped | ❌ |
Pull | Absent | ❌ |
Wrapped | Provided | ✅ |
Wrapped | Pull | ❌ |
Wrapped | Wrapped | ✅ |
Wrapped | Absent | ❌ |
| Note |
|---|---|
You can use still all combinations of push/pull/wrapped modes by providing a configured |
![[Important]](images/important.png) | Important |
|---|---|
AppRole authentication is limited to simple pull mode using reactive infrastructure. Full pull mode is not yet supported. Using Spring Cloud Vault with the Spring WebFlux stack enables Vault’s reactive auto-configuration which can be disabled by setting |
Example 3.7. bootstrap.yml with all AppRole authentication properties
spring.cloud.vault: authentication: APPROLE app-role: role-id: bde2076b-cccb-3cf0-d57e-bca7b1e83a52 secret-id: 1696536f-1976-73b1-b241-0b4213908d39 role: my-role app-role-path: approle
role-idsets the RoleId.secret-idsets the SecretId. SecretId can be omitted if AppRole is configured without requiring SecretId (Seebind_secret_id).role: sets the AppRole name for pull mode.app-role-pathsets the path of the approle authentication mount to use.
See also: Vault Documentation: Using the AppRole auth backend
The aws-ec2 auth backend provides a secure introduction mechanism for AWS EC2 instances, allowing automated retrieval of a Vault token. Unlike most Vault authentication backends, this backend does not require first-deploying, or provisioning security-sensitive credentials (tokens, username/password, client certificates, etc.). Instead, it treats AWS as a Trusted Third Party and uses the cryptographically signed dynamic metadata information that uniquely represents each EC2 instance.
AWS-EC2 authentication enables nonce by default to follow the Trust On First Use (TOFU) principle. Any unintended party that gains access to the PKCS#7 identity metadata can authenticate against Vault.
During the first login, Spring Cloud Vault generates a nonce that is stored in the auth backend aside the instance Id. Re-authentication requires the same nonce to be sent. Any other party does not have the nonce and can raise an alert in Vault for further investigation.
The nonce is kept in memory and is lost during application restart.
You can configure a static nonce with spring.cloud.vault.aws-ec2.nonce.
AWS-EC2 authentication roles are optional and default to the AMI.
You can configure the authentication role by setting the
spring.cloud.vault.aws-ec2.role property.
Example 3.9. bootstrap.yml with configured role
spring.cloud.vault: authentication: AWS_EC2 aws-ec2: role: application-server
Example 3.10. bootstrap.yml with all AWS EC2 authentication properties
spring.cloud.vault: authentication: AWS_EC2 aws-ec2: role: application-server aws-ec2-path: aws-ec2 identity-document: http://... nonce: my-static-nonce
authenticationsetting this value toAWS_EC2selects the AWS EC2 authentication methodrolesets the name of the role against which the login is being attempted.aws-ec2-pathsets the path of the AWS EC2 mount to useidentity-documentsets URL of the PKCS#7 AWS EC2 identity documentnonceused for AWS-EC2 authentication. An empty nonce defaults to nonce generation
The aws backend provides a secure authentication mechanism for AWS IAM roles, allowing the automatic authentication with vault based on the current IAM role of the running application. Unlike most Vault authentication backends, this backend does not require first-deploying, or provisioning security-sensitive credentials (tokens, username/password, client certificates, etc.). Instead, it treats AWS as a Trusted Third Party and uses the 4 pieces of information signed by the caller with their IAM credentials to verify that the caller is indeed using that IAM role.
The current IAM role the application is running in is automatically calculated. If you are running your application on AWS ECS then the application will use the IAM role assigned to the ECS task of the running container. If you are running your application naked on top of an EC2 instance then the IAM role used will be the one assigned to the EC2 instance.
When using the AWS-IAM authentication you must create a role in Vault
and assign it to your IAM role. An empty role defaults to
the friendly name the current IAM role.
Example 3.11. bootstrap.yml with required AWS-IAM Authentication properties
spring.cloud.vault: authentication: AWS_IAM
Example 3.12. bootstrap.yml with all AWS-IAM Authentication properties
spring.cloud.vault: authentication: AWS_IAM aws-iam: role: my-dev-role aws-path: aws server-id: some.server.name
rolesets the name of the role against which the login is being attempted. This should be bound to your IAM role. If one is not supplied then the friendly name of the current IAM user will be used as the vault role.aws-pathsets the path of the AWS mount to useserver-idsets the value to use for theX-Vault-AWS-IAM-Server-IDheader preventing certain types of replay attacks.
AWS-IAM requires the AWS Java SDK dependency (com.amazonaws:aws-java-sdk-core)
as the authentication implementation uses AWS SDK types for credentials and request signing.
The azure auth backend provides a secure introduction mechanism for Azure VM instances, allowing automated retrieval of a Vault token. Unlike most Vault authentication backends, this backend does not require first-deploying, or provisioning security-sensitive credentials (tokens, username/password, client certificates, etc.). Instead, it treats Azure as a Trusted Third Party and uses the managed service identity and instance metadata information that can be bound to a VM instance.
Example 3.13. bootstrap.yml with required Azure Authentication properties
spring.cloud.vault: authentication: AZURE_MSI azure-msi: role: my-dev-role
Example 3.14. bootstrap.yml with all Azure Authentication properties
spring.cloud.vault: authentication: AZURE_MSI azure-msi: role: my-dev-role azure-path: aws
rolesets the name of the role against which the login is being attempted.azure-pathsets the path of the Azure mount to use
Azure MSI authentication fetches environmental details about the virtual machine (subscription Id, resource group, VM name) from the instance metadata service.
The cert auth backend allows authentication using SSL/TLS client
certificates that are either signed by a CA or self-signed.
To enable cert authentication you need to:
- Use SSL, see Chapter 9, Vault Client SSL configuration
- Configure a Java
Keystorethat contains the client certificate and the private key - Set the
spring.cloud.vault.authenticationtoCERT
Example 3.15. bootstrap.yml
spring.cloud.vault: authentication: CERT ssl: key-store: classpath:keystore.jks key-store-password: changeit cert-auth-path: cert
Cubbyhole authentication uses Vault primitives to provide a secured authentication
workflow. Cubbyhole authentication uses tokens as primary login method.
An ephemeral token is used to obtain a second, login VaultToken from Vault’s
Cubbyhole secret backend. The login token is usually longer-lived and used to
interact with Vault. The login token will be retrieved from a wrapped
response stored at /cubbyhole/response.
Creating a wrapped token
| Note |
|---|---|
Response Wrapping for token creation requires Vault 0.6.0 or higher. |
Example 3.16. Creating and storing tokens
$ vault token-create -wrap-ttl="10m" Key Value --- ----- wrapping_token: 397ccb93-ff6c-b17b-9389-380b01ca2645 wrapping_token_ttl: 0h10m0s wrapping_token_creation_time: 2016-09-18 20:29:48.652957077 +0200 CEST wrapped_accessor: 46b6aebb-187f-932a-26d7-4f3d86a68319
Example 3.17. bootstrap.yml
spring.cloud.vault: authentication: CUBBYHOLE token: 397ccb93-ff6c-b17b-9389-380b01ca2645
See also:
The gcp auth backend allows Vault login by using existing GCP (Google Cloud Platform) IAM and GCE credentials.
GCP GCE (Google Compute Engine) authentication creates a signature in the form of a JSON Web Token (JWT) for a service account. A JWT for a Compute Engine instance is obtained from the GCE metadata service using Instance identification. This API creates a JSON Web Token that can be used to confirm the instance identity.
Unlike most Vault authentication backends, this backend does not require first-deploying, or provisioning security-sensitive credentials (tokens, username/password, client certificates, etc.). Instead, it treats GCP as a Trusted Third Party and uses the cryptographically signed dynamic metadata information that uniquely represents each GCP service account.
Example 3.18. bootstrap.yml with required GCP-GCE Authentication properties
spring.cloud.vault: authentication: GCP_GCE gcp-gce: role: my-dev-role
Example 3.19. bootstrap.yml with all GCP-GCE Authentication properties
spring.cloud.vault: authentication: GCP_GCE gcp-gce: gcp-path: gcp role: my-dev-role service-account: [email protected]
rolesets the name of the role against which the login is being attempted.gcp-pathsets the path of the GCP mount to useservice-accountallows overriding the service account Id to a specific value. Defaults to thedefaultservice account.
See also:
The gcp auth backend allows Vault login by using existing GCP (Google Cloud Platform) IAM and GCE credentials.
GCP IAM authentication creates a signature in the form of a JSON Web Token (JWT)
for a service account. A JWT for a service account is obtained by
calling GCP IAM’s projects.serviceAccounts.signJwt API. The caller authenticates against GCP IAM
and proves thereby its identity. This Vault backend treats GCP as a Trusted Third Party.
IAM credentials can be obtained from either the runtime environment
, specifically the GOOGLE_APPLICATION_CREDENTIALS
environment variable, the Google Compute metadata service,
or supplied externally as e.g. JSON or base64 encoded.
JSON is the preferred form as it carries the project id and
service account identifier required for calling projects.serviceAccounts.signJwt.
Example 3.20. bootstrap.yml with required GCP-IAM Authentication properties
spring.cloud.vault: authentication: GCP_IAM gcp-iam: role: my-dev-role
Example 3.21. bootstrap.yml with all GCP-IAM Authentication properties
spring.cloud.vault: authentication: GCP_IAM gcp-iam: credentials: location: classpath:credentials.json encoded-key: e+KApn0= gcp-path: gcp jwt-validity: 15m project-id: my-project-id role: my-dev-role service-account: [email protected]
rolesets the name of the role against which the login is being attempted.credentials.locationpath to the credentials resource that contains Google credentials in JSON format.credentials.encoded-keythe base64 encoded contents of an OAuth2 account private key in the JSON format.gcp-pathsets the path of the GCP mount to usejwt-validityconfigures the JWT token validity. Defaults to 15 minutes.project-idallows overriding the project Id to a specific value. Defaults to the project Id from the obtained credential.service-accountallows overriding the service account Id to a specific value. Defaults to the service account from the obtained credential.
GCP IAM authentication requires the Google Cloud Java SDK dependency
(com.google.apis:google-api-services-iam and com.google.auth:google-auth-library-oauth2-http)
as the authentication implementation uses Google APIs for credentials and JWT signing.
| Note |
|---|---|
Google credentials require an OAuth 2 token maintaining the token lifecycle. All API
is synchronous therefore, |
See also:
Kubernetes authentication mechanism (since Vault 0.8.3) allows to authenticate with Vault using a Kubernetes Service Account Token. The authentication is role based and the role is bound to a service account name and a namespace.
A file containing a JWT token for a pod’s service account is automatically mounted at /var/run/secrets/kubernetes.io/serviceaccount/token.
Example 3.22. bootstrap.yml with all Kubernetes authentication properties
spring.cloud.vault: authentication: KUBERNETES kubernetes: role: my-dev-role kubernetes-path: kubernetes service-account-token-file: /var/run/secrets/kubernetes.io/serviceaccount/token
rolesets the Role.kubernetes-pathsets the path of the Kubernetes mount to use.service-account-token-filesets the location of the file containing the Kubernetes Service Account Token. Defaults to/var/run/secrets/kubernetes.io/serviceaccount/token.
See also: