Skip to content

Latest commit

 

History

History
99 lines (76 loc) · 5.71 KB

README.md

File metadata and controls

99 lines (76 loc) · 5.71 KB
Raw

Azure Key Vault Secrets Spring boot starter

Azure Key Vault Secrets Spring boot starter is Spring starter for Azure Key Vault Secrets. With this starter, Azure Key Vault is added as one of Spring PropertySource, so secrets stored in Azure Key Vault could be easily used and conveniently accessed like other externalized configuration property, e.g. properties in files.

Sample Code

Please refer to sample project here.

Quick Start

Add the dependency

"azure-keyvault-secrets-spring-boot-starter" is published on Maven Central Repository.
If you are using Maven, add the following dependency.

<dependency>
    <groupId>com.microsoft.azure</groupId>
    <artifactId>azure-keyvault-secrets-spring-boot-starter</artifactId>
    <version>2.2.1</version>
</dependency>

Custom settings

To use custom configuration, open application.properties file and add below properties to specify your Azure Key Vault url, Azure service principal client id and client key. azure.keyvault.enabled is used to turn on/off Azure Key Vault Secret property source, default is true. azure.keyvault.token-acquiring-timeout-seconds is used to specify the timeout in seconds when acquiring token from Azure AAD. Default value is 60 seconds. This property is optional. azure.keyvault.refresh-interval is the period for PropertySource to refresh secret keys, its value is 1800000(ms) by default. This property is optional. azure.keyvault.secret.keys is a property to indicate that if application using specific secret keys, if this property is set, application will only load the keys in the property and won't load all the keys from keyvault, that means if you want to update your secrets, you need to restart the application rather than only add secrets in the keyvault.

azure.keyvault.enabled=true
azure.keyvault.uri=put-your-azure-keyvault-uri-here
azure.keyvault.client-id=put-your-azure-client-id-here
azure.keyvault.client-key=put-your-azure-client-key-here
azure.keyvault.tenant-id=put-your-azure-tenant-id-here
azure.keyvault.token-acquire-timeout-seconds=60
azure.keyvault.refresh-interval=1800000
azure.keyvault.secret.keys=key1,key2,key3

Use MSI / Managed identities

App Services

To use managed identities for App Services - please refer to How to use managed identities for App Service and Azure Functions.

To use it in an App Service, add the below properties:

azure.keyvault.enabled=true
azure.keyvault.uri=put-your-azure-keyvault-uri-here

VM

To use it for virtual machines, please refer to Azure AD managed identities for Azure resources documentation.

To use it in a VM, add the below properties:

azure.keyvault.enabled=true
azure.keyvault.uri=put-your-azure-keyvault-uri-here
azure.keyvault.client-id=put-your-azure-client-id-here

If you are using system assigned identity you don't need to specify the client-id.

Save secrets in Azure Key Vault

Save secrets in Azure Key Vault through Azure Portal or Azure CLI.

You can use the following Azure CLI command to save secrets, if Key Vault is already created.

az keyvault secret set --name <your-property-name> --value <your-secret-property-value> --vault-name <your-keyvault-name>

NOTE To get detail steps on how setup Azure Key Vault, please refer to sample code readme section "Setup Azure Key Vault"

IMPORTANT Allowed secret name pattern in Azure Key Vault is ^[0-9a-zA-Z-]+$, for some Spring system properties contains . like spring.datasource.url, do below workaround when you save it into Azure Key Vault: simply replace . to -. spring.datasource.url will be saved with name spring-datasource-url in Azure Key Vault. While in client application, use original spring.datasource.url to retrieve property value, this starter will take care of transformation for you. Purpose of using this way is to integrate with Spring existing property setting.

Get Key Vault secret value as property

Now, you can get Azure Key Vault secret value as a configuration property.

@SpringBootApplication
public class SampleApplication implements CommandLineRunner {

    @Value("${your-property-name}")
    private String mySecretProperty;

    public static void main(String[] args) {
        SpringApplication.run(SampleApplication.class, args);
    }

    public void run(String... varl) throws Exception {        
        System.out.println( "property your-property-name value is: " + mySecretProperty);
    }

}

Allow telemetry

Microsoft would like to collect data about how users use this Spring boot starter. Microsoft uses this information to improve our tooling experience. Participation is voluntary. If you don't want to participate, just simply disable it by setting below configuration in application.properties.

azure.keyvault.allow.telemetry=false

When telemetry is enabled, an HTTP request will be sent to URL https://dc.services.visualstudio.com/v2/track. So please make sure it's not blocked by your firewall.
Find more information about Azure Service Privacy Statement, please check Microsoft Online Services Privacy Statement.