Bhuwan Upadhyay

Talks all about software engineering

Published on

Secure application secrets by using spring vault



Security and working with secrets is a concern of every developer working with databases, user credentials or API keys. Vault steps in by providing a secure storage combined with access control, revocation, key rolling and auditing. In short: Vault is a service for securely accessing and storing secrets.

In this post, I’ll walk you through to store secrets into vault for your application.


You’ll learn how to setup Spring Cloud Vault to store and read database credentials for your stand-alone application from vault.

Start PostgreSQL and Vault locally

You can download docker-compose.yml file and just run the following to get PostgreSQL and Vault started locally in docker containers.

docker-compose up -d

Creating the VAULT PostgreSQL credentials

Let's access vault container in your terminal.

docker exec -it example-vault /bin/sh
export VAULT_TOKEN="00000000-0000-0000-0000-000000000000"
export VAULT_ADDR=""

Once you have access to vault and postgres access, do the following to enable postgres and create a role that the application will use to connect to PostgreSQL.

  • Enable secrets for postgresql
vault secrets enable postgresql
  • Write postgresql connection url
vault write postgresql/config/connection \
  • Apply lease setting: vault create new username and password for database
vault write postgresql/config/lease lease=1h lease_max=24h
  • Add role for user in database
vault write postgresql/roles/readonly \
    sql="CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}';
    GRANT ALL ON ALL TABLES IN SCHEMA public TO \"{{name}}\";"
  • To generate new set of credentials run (Vault is now configured to create and manage credentials for Postgres!)
vault read postgresql/creds/readonly


Key                Value
---                -----
lease_id           postgresql/creds/readonly/ihWk1Q9cC3uHgjFBYOBJZFTv
lease_duration     1h
lease_renewable    true
password           4878ef62-ed3d-098e-22c7-71af6891eaa8
username           token-954d49c2-9269-451d-9ce9-97e5aa887222

For more info visit vault documentation here: PostgreSQL Secret Engines

Create a Spring Boot Project

curl https://start.spring.io/starter.tgz -d dependencies=postgresql,cloud-starter-vault-config,data-jpa \
  -d groupId=io.github.bhuwanupadhyay \
  -d artifactId=example-vault \
  -d packageName=io.github.bhuwanupadhyay.tutorial \
  -d baseDir=example-vault \
  -d bootVersion=2.2.2.RELEASE | tar -xzvf -
cd example-vault

Using VAULT in Spring Boot Project with Spring Cloud

Needed maven dependencies under you maven project pom.xml


The spring cloud use bootstrap.yml or bootstrap.properties file. So, to connect with vault you need to define following values in bootstrap.yml file.

    name: example-vault
      uri: http://localhost:8200
      token: '00000000-0000-0000-0000-000000000000'
        enabled: true
        role: readonly
        backend: postgresql
    url: jdbc:postgresql://localhost:5432/postgres
      ddl-auto: create-drop

Database Access: PostgreSQL (read/write)

Let's implement customer entity and its spring data repository as follows:


public class Customer {
    @GeneratedValue(strategy = GenerationType.AUTO)
    private Long id;
    private String name;

    public Customer() {

    public Customer(String name) {
        this.name = name;

    public Long getId() {
        return id;

    public void setId(Long id) {
        this.id = id;

    public String getName() {
        return name;

    public void setName(String name) {
        this.name = name;

    public boolean equals(Object o) {
        if (this == o) return true;
        if (o == null || getClass() != o.getClass()) return false;
        Customer customer = (Customer) o;
        return Objects.equals(id, customer.id);

    public int hashCode() {
        return Objects.hash(id);

Entity Data Repository

public interface CustomerRepository extends JpaRepository<Customer, Long> {

Test Scenario

@Spring BootTest
class DemoApplicationTests {

    private CustomerRepository repository;

    void setUp() {

    void canAddCustomer() {
        String name = "Vault - " + UUID.randomUUID().toString();
        repository.save(new Customer(name));
        assertEquals(name, repository.findAll().get(0).getName());

You can find example on github: Source Code