Give role to user
In order to create a secret we will need to add the key vault administrator role to the user. We do this using the Access Control (IAM).
Create secret
As before if we now try to create the secret we are able to do so successfully.
Create an enterprise application
Next in order to connect to the key vault using spring boot application we will need something called the client id and client secret. By default the key vault does not have it.
We will need to create an enterprise application and then give the enterprise application some roles in the keyvault. Then using the enterprise applications client id and secret we
will be able to connect to the key vault using spring boot application.
Go to Entra Id.
Go to Microsoft Entra Id -> App Registrations -> Create a new Registration
Specify the name of the app as javainuseapp and click on Register button.
A new app named javainuseapp gets created. If we notice we get the client id and tenant id.
Let us now create a secret. For this go to Certificates & secrets and click on New client secret
A secret named clientsecret gets created.
Assign the javainuse app key vault role
For the key vault using the Access Control we will be assigning the Key Vault Secrets User role to the javainuseapp we just created.
We are done with the key vault configuration.
Spring Boot Application
Using the
Spring Initializr we will be creating a spring boot application as follows.
The maven project created is as follows-
In the pom.xml we will be adding the azure dependencies.
These dependencies provide the necessary libraries for integrating with Azure Key Vault in a Spring Boot application. Specifically, azure-security-keyvault-secrets allows you to securely retrieve secrets stored in Azure Key Vault, while azure-identity enables authentication and authorization mechanisms to access Key Vault securely using managed identities or service principals.
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>3.2.6</version>
<relativePath /> <!-- lookup parent from repository -->
</parent>
<groupId>com.javainuse</groupId>
<artifactId>boot-keyvault</artifactId>
<version>0.0.1-SNAPSHOT</version>
<name>boot-keyvault</name>
<description>Demo project for Spring Boot</description>
<properties>
<java.version>17</java.version>
</properties>
<dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-test</artifactId>
<scope>test</scope>
</dependency>
<dependency>
<groupId>com.azure</groupId>
<artifactId>azure-security-keyvault-secrets</artifactId>
<version>4.8.3</version>
</dependency>
<dependency>
<groupId>com.azure</groupId>
<artifactId>azure-identity</artifactId>
<version>1.9.1</version>
</dependency>
</dependencies>
<build>
<plugins>
<plugin>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-maven-plugin</artifactId>
</plugin>
</plugins>
</build>
</project>
Next we will be creating a RestController named AzureController to use the Azure Key Vault client library in a Spring Boot application to
securely retrieve secrets from Azure Key Vault and use them in your application.
In this class we expose a GET mapping for the "/getsecret" endpoint. When this endpoint is accessed, it performs the following actions:
-
It defines the Azure Key Vault URL and the name of the secret to be retrieved.
-
It creates an instance of the SecretClient from the Azure Key Vault client library using the SecretClientBuilder.
-
It authenticates with Azure Key Vault using the DefaultAzureCredentialBuilder, which automatically selects the appropriate credential type based on the environment.
-
It retrieves the secret value from Azure Key Vault using the getSecret method, passing the secret name.
-
The retrieved secret value is Base64-encoded, so it constructs a string with the message "Fetched Secret Values is " followed by the decoded secret value.
-
Finally, it returns the constructed string as the response to the "/getsecret" endpoint.
package com.javainuse.boot_keyvault.controller;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RestController;
import com.azure.identity.DefaultAzureCredentialBuilder;
import com.azure.security.keyvault.secrets.SecretClient;
import com.azure.security.keyvault.secrets.SecretClientBuilder;
import com.azure.security.keyvault.secrets.models.KeyVaultSecret;
@RestController
public class AzureController {
@GetMapping("/getsecret")
public String hello() {
String keyVaultUrl = "https://javainuse.vault.azure.net/";
String secretName = "secret";
String fetchedSecret = null;
try {
// Create a SecretClient instance to interact with Azure Key Vault
SecretClient secretClient = new SecretClientBuilder().vaultUrl(keyVaultUrl)
.credential(new DefaultAzureCredentialBuilder().build()).buildClient();
// Retrieve the Base64-encoded secret from Azure Key Vault
KeyVaultSecret secret = secretClient.getSecret(secretName);
fetchedSecret = "Fetched Secret Values is " + secret.getValue();
} catch (Exception e) {
e.printStackTrace();
}
return fetchedSecret;
}
}
DefaultAzureCredentialBuilder selects the client id, client secret and tenant id from the environment variables. So we will need to set these as AZURE_CLIENT_ID,AZURE_CLIENT_SECRET
and AZURE_TENANT_ID. DefaultAzureCredentialBuilder internally calls the azure entra id, with these environment variables calls and gets the access token. Then using the access token
it can retrieve the secrets from keyvault. This all is done behind the scenes by DefaultAzureCredentialBuilder.
If we now start the application and go to localhost:8080/getsecret we see that the secret is retrieved correctly.
Download Source Code
Download it -
Spring Boot 3 + Azure Key Vault HelloWorld Example