Search code examples
spring-cloud-configspring-cloud-vault-config

How to override request sequence from Spring Cloud Vault to the Vault?

When my application which uses Spring Cloud Vault starter is requesting info from Vault, it searches the followed paths at generic secret back-end:

  • secret/myapp/vault
  • secret/myapp/dev
  • secret/myapp
  • secret/application/vault
  • secret/application/dev
  • secret/application

So as you can see, it does a lot of requests to a Vault and that's a problem because Vault will create a lot of unnecessary logs which is bad for a few reasons.

How can I change paths for the requests?

For instance, I want my application to go to secret/myapp/{profile} and that's all.

Solution

  • There are two approaches you can take:

    1. Setting spring.cloud.vault.generic.default-context to an empty value.
    2. Customize which paths Spring Vault accesses.
    3. Run your app with fewer profiles activated.

    Spring Vault creates path matrices based on the application name multiplied with the profiles you activated and based on a generic name multiplied with active profiles.

    Providing a VaultConfigurer bean inside the bootstrap context gives you the most control over paths accessed by Spring Cloud Vault:

    public class MyVaultConfigurer implements VaultConfigurer {

    @Override
    public void addSecretBackends(SecretBackendConfigurer configurer) {

        configurer.add("secret/my-application");

        configurer.registerDefaultGenericSecretBackends(false);
        configurer.registerDefaultDiscoveredSecretBackends(true);
    }
}