Spring Cloud Tutorial - Secure Secrets using Spring Cloud Config + Vault Example

Microservices architecture have multiple services which interact with each other and external resources like databases. They also need access to usernames and passwords to access these resources. Usually these credentials are stored in config properties. So each microservice will have its own copy of credentials. If any credentials change we will need to update the configurations in all microservices. We have previously discussed one solution to this problem is using Spring Cloud Config Native Server or Spring Cloud Config Git Server where common global properties which are repeated in all the microservices are usually stored.  But still storing the secrets in configuration file is a security concern. Above approach as 2 drawbacks-

• No single point of Truth
• Security risk of exposing the credentials

In this tutorial will be using Spring Cloud Config and Hashicorp Vault to manage secrets and protect sensitive data.

Hashicorp Vault is a platform to secure, store, and tightly control access to tokens, passwords, certificates, encryption keys for protecting sensitive data and other secrets in a dynamic infrastructure.
Using vault we will be retrieving the credentials from the vault key/value store.

Spring Cloud - Table Of Contents
Microservice Registration and Discovery with Spring cloud using Netflix Eureka- Part 1.
Microservice Registration and Discovery with Spring cloud using Netflix Eureka - Part 2.
Microservice Registration and Discovery with Spring cloud using Netflix Eureka - Part 3.
Microservice Registration and Discovery with Spring cloud using Netflix Eureka - Part 4.
Spring Cloud- Netflix Eureka + Ribbon Simple Example
Spring Cloud- Netflix Eureka + Ribbon + Hystrix Fallback Simple Example
Spring Cloud- Netflix Hystrix Circuit Breaker Simple Example
Spring Cloud- Netflix Feign REST Client Simple Example
Spring Cloud- Netflix Zuul +Eureka Simple Example
Spring Cloud Config Server using Native Mode Simple Example
Spring Cloud Config Server Using Git Simple Example
Spring Boot Admin Simple Example
Spring Cloud Stream Tutorial - Publish Message to RabbitMQ Simple Example
Spring Cloud Stream Tutorial - Consume Message from RabbitMQ Simple Example
Spring Cloud Tutorial - Publish Events Using Spring Cloud Bus
Spring Cloud Tutorial - Stream Processing Using Spring Cloud Data Flow
Spring Cloud Tutorial - Distributed Log Tracing using Sleuth and Zipkin Example
Spring Cloud Tutorial - Spring Cloud Gateway Hello World Example
Spring Cloud Tutorial - Spring Cloud Gateway Filters Example
Spring Cloud Tutorial - Spring Cloud Gateway + Netflix Eureka Example
Spring Cloud Tutorial - Spring Cloud Gateway + Netflix Eureka + Netflix Hystrix Example
Spring Cloud Tutorial - Secure Secrets using Spring Cloud Config + Vault Example

We will be implementing a simple Spring Boot Microservice which returns employee details from MySql Database. We will be creating the Spring Boot + MySQL Application using Spring Boot JDBC. We have already seen Spring Boot MYSQL JDBC basics in a previous tutorial. In We will be initially storing the MySql credentials in the configuration file.

Later we will be modifying this application to fetch the MySQL credentials from HashiCorp Vault.

Spring Boot + MySQL application

The project will be as follows-

Add the spring-jdbc-starter dependency.

<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
	xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
	<modelVersion>4.0.0</modelVersion>

	<groupId>com.javainuse</groupId>
	<artifactId>boot-jdbc</artifactId>
	<version>0.0.1-SNAPSHOT</version>
	<packaging>jar</packaging>

	<name>boot-jdbc</name>
	<description>Demo project for Spring Boot</description>

	<parent>
		<groupId>org.springframework.boot</groupId>
		<artifactId>spring-boot-starter-parent</artifactId>
		<version>2.3.0.RELEASE</version>
		<relativePath /> <!-- lookup parent from repository -->
	</parent>

	<properties>
		<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
		<project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
		<java.version>1.8</java.version>
	</properties>

	<dependencies>
		<dependency>
			<groupId>org.springframework.boot</groupId>
			<artifactId>spring-boot-starter-web</artifactId>
		</dependency>
		<dependency>
			<groupId>org.springframework.boot</groupId>
			<artifactId>spring-boot-starter-jdbc</artifactId>
		</dependency>

		<dependency>
			<groupId>mysql</groupId>
			<artifactId>mysql-connector-java</artifactId>
			<scope>runtime</scope>
		</dependency>
	</dependencies>

	<build>
		<plugins>
			<plugin>
				<groupId>org.springframework.boot</groupId>
				<artifactId>spring-boot-maven-plugin</artifactId>
			</plugin>
		</plugins>
	</build>


</project>

In the application.properties file specify the datasource properties

spring.datasource.url=jdbc:mysql://localhost/bootdb?createDatabaseIfNotExist=true&autoReconnect=true&useSSL=false
spring.datasource.username=root
spring.datasource.password=root
spring.datasource.platform=mysql
spring.datasource.initialization-mode=always

Create the schema-mysql.sql file and specify the initialization scripts-

DROP TABLE IF EXISTS employee;

CREATE TABLE employee (
  empId VARCHAR(10) NOT NULL,
  empName VARCHAR(100) NOT NULL
);

INSERT INTO employee(empId,empName)values("emp001","emp1");
INSERT INTO employee(empId,empName)values("emp002","emp2");
INSERT INTO employee(empId,empName)values("emp003","emp3");

Create the Employee Domain class

package com.javainuse.model;

public class Employee {

	private String empId;
	private String empName;

	public String getEmpId() {
		return empId;
	}

	public void setEmpId(String empId) {
		this.empId = empId;
	}

	public String getEmpName() {
		return empName;
	}

	public void setEmpName(String empName) {
		this.empName = empName;
	}

	@Override
	public String toString() {
		return "Employee [empId=" + empId + ", empName=" + empName + "]";
	}

}

Create the DAO interface.

package com.javainuse.dao;

import java.util.List;

import com.javainuse.model.Employee;

public interface EmployeeDao {
	List<Employee> getAllEmployees();
}

The DAO implementation class.

package com.javainuse.dao.impl;

import java.util.ArrayList;
import java.util.List;
import java.util.Map;

import javax.annotation.PostConstruct;
import javax.sql.DataSource;

import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.jdbc.core.support.JdbcDaoSupport;
import org.springframework.stereotype.Repository;

import com.javainuse.dao.EmployeeDao;
import com.javainuse.model.Employee;

@Repository
public class EmployeeDaoImpl extends JdbcDaoSupport implements EmployeeDao {

	@Autowired
	DataSource dataSource;

	@PostConstruct
	private void initialize() {
		setDataSource(dataSource);
	}

	@Override
	public List<Employee> getAllEmployees() {
		String sql = "SELECT * FROM employee";
		List<Map<String, Object>> rows = getJdbcTemplate().queryForList(sql);

		List<Employee> result = new ArrayList<Employee>();
		for (Map<String, Object> row : rows) {
			Employee emp = new Employee();
			emp.setEmpId((String) row.get("empId"));
			emp.setEmpName((String) row.get("empName"));
			result.add(emp);
		}

		return result;
	}
}

Create Service interface to specify employee operations to be performed.

package com.javainuse.service;

import java.util.List;

import com.javainuse.model.Employee;

public interface EmployeeService {
	List<Employee> getAllEmployees();
}

The Service class implementation.

package com.javainuse.service.impl;

import java.util.List;

import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Service;

import com.javainuse.dao.EmployeeDao;
import com.javainuse.model.Employee;
import com.javainuse.service.EmployeeService;

@Service
public class EmployeeServiceImpl implements EmployeeService {

	@Autowired
	EmployeeDao employeeDao;

	public List<Employee> getAllEmployees() {
		List<Employee> employees = employeeDao.getAllEmployees();
		return employees;
	}

}

Create the Controller class to expose a GET API which fetches the employee records

package com.javainuse.controller;

import java.util.List;

import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.bind.annotation.RestController;

import com.javainuse.model.Employee;
import com.javainuse.service.EmployeeService;

@RestController
public class EmployeeController {

	@Autowired
	EmployeeService empService;

	@RequestMapping(value = "/employees", method = RequestMethod.GET)
	public List<Employee> firstPage() {

		return empService.getAllEmployees();

	}

}

Finally create the class with @SpringBootApplication annotation.

package com.javainuse;

import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.SpringBootApplication;

@SpringBootApplication
public class SpringBootJdbcApplication {

	public static void main(String[] args) {
		SpringApplication.run(SpringBootJdbcApplication.class, args);
	}
}

Start the application. And got to localhost:8080/employees

Download and Setup Hashicorp Vault

Go to Hashicorp download Page and download Hashicorp Vault.

This is a zip file. Unzip it contains vault.exe. Create a file name vaultconfig.hcl for configuring vault on startup.

storage "file" {
	path= "./vault-data"
}

listener "tcp" {
  address = "127.0.0.1:8200"
  tls_disable =1		
}

disable_mlock=true

Open a command prompt and run the following vault commands-

vault server -config ./vaultconfig.hcl

Vault is now started. Open another command prompt and run the following commands-

set VAULT_ADDR=http://localhost:8200
vault operator init

set VAULT_TOKEN=s.wO85qvAKuzL4QQifLE9N5aiq

vault status

We can see here that the Vault is sealed. We need to unseal it.

vault operator unseal Y2fJhNi5AXU3HdShQ4p0bZ/KfXVWU3ZYRwaecnlkEYYP
vault operator unseal XS/NJF3X/OcrVzoM9a5oSG2D7Mls2+WCE104RgCAJLrH
vault operator unseal W+W/R7Dwgaj+qwPsrKo3RBDxSzrfoW917AwgoAzvFcOT 

Next enable a key value store with named secrets

vault secrets enable -path=secret/ kv

Store the MySql username and password in the Hashicorp Vault

vault kv put secret/javainuseapp dbusername=root
vault kv put secret/javainuseapp dbpassword=root

Configure Spring Cloud Config in Spring Boot Application

In the pom.xml add the Spring Cloud dependencies-

<name>boot-jdbc</name>
	<description>Demo project for Spring Boot</description>

	<parent>
		<groupId>org.springframework.boot</groupId>
		<artifactId>spring-boot-starter-parent</artifactId>
		<version>2.3.0.RELEASE</version>
		<relativePath /> <!-- lookup parent from repository -->
	</parent>

	<properties>
		<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
		<project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
		<java.version>1.8</java.version>
		<spring-cloud.version>Hoxton.SR1</spring-cloud.version>
	</properties>

	<dependencies>
		<dependency>
			<groupId>org.springframework.boot</groupId>
			<artifactId>spring-boot-starter-web</artifactId>
		</dependency>
		<dependency>
			<groupId>org.springframework.boot</groupId>
			<artifactId>spring-boot-starter-jdbc</artifactId>
		</dependency>
		<dependency>
		<groupId>org.springframework.cloud</groupId>
		<artifactId>spring-cloud-starter-vault-config</artifactId>
		</dependency>

		<dependency>
			<groupId>mysql</groupId>
			<artifactId>mysql-connector-java</artifactId>
			<scope>runtime</scope>
		</dependency>
	</dependencies>
	
	<dependencyManagement>
		<dependencies>
			<dependency>
				<groupId>org.springframework.cloud</groupId>
				<artifactId>spring-cloud-dependencies</artifactId>
				<version>${spring-cloud.version}</version>
				<type>pom</type>
				<scope>import</scope>
			</dependency>
		</dependencies>
	</dependencyManagement>

	<build>
		<plugins>
			<plugin>
				<groupId>org.springframework.boot</groupId>
				<artifactId>spring-boot-maven-plugin</artifactId>
			</plugin>
		</plugins>
	</build>


</project>

Create a file name bootstrap.yml and add the following configuration.

spring:
  application:
    name: javainuseapp
  cloud:
    vault:
      host: localhost
      port: 8200
      scheme: http
      token: s.wO85qvAKuzL4QQifLE9N5aiq

Finally in the application.properties change the MySql username and password properties to get values from Hashicorp Vault.

spring.datasource.url=jdbc:mysql://localhost/bootdb?createDatabaseIfNotExist=true&autoReconnect=true&useSSL=false
spring.datasource.username=${dbusername}
spring.datasource.password=${dbpassword}
spring.datasource.platform=mysql
spring.datasource.initialization-mode=always

If we now start the Spring Boot Application, it will automatically fetch the MySql username and password by making an API call to Vault.

Download Source Code

Download it -
Spring Cloud + Hashicorp Vault Example

See Also
Spring Boot Hello World Application- Create simple controller and jsp view using Maven
Spring Boot Tutorial-Spring Data JPA
Spring Boot + Simple Security Configuration
Pagination using Spring Boot Simple Example
Spring Boot + ActiveMQ Hello world Example
Spring Boot + Swagger Example Hello World Example
Spring Boot + Swagger- Understanding the various Swagger Annotations
Spring Boot Main Menu
Spring Boot Interview Questions