Bootstrap Configuration
Loading and decrypting configuration properties from external sources such as HashiCorp Vault, Azure Key Vault or AWS Secrets Manager.
Last Updated: 26 May 2022 • Page Author: Jillur Quddus
Overview
The POB Spring bootstrap context is responsible for loading and decrypting configuration properties from external sources such as HashiCorp Vault, Azure Key Vault or AWS Secrets Manager.
Location
The configuration for the POB Spring bootstrap context may be found in the pob-configuration
Maven module at src/main/resources/bootstrap.yml
. The complete configuration file is as follows:
Namespaces
spring.cloud.vault
Configure this namespace if you wish to load externalised configuration from HashiCorp Vault.
Property | Description | Example Value |
---|---|---|
enabled | Whether to enable externalised configuration from HashiCorp Vault. | true |
host | HashiCorp Vault hostname. The host name will be used for SSL certificate validation if required. | localhost |
port | HashiCorp Vault port. | 8200 |
scheme | Whether to use http or https. | http |
authentication | Authentication mechanism to authorise client requests. | TOKEN |
token | If using token-based authentication, then the static token to use. Note that the token should be set as an environment variable and NOT stored as plaintext in bootstrap.yml. | s.AB638dhfdnbC7dehq |
kv.enabled | Whether to enable the Key-Value secrets backend, supporting storage of arbitrary values as key-value store. | true |
kv.backend | The path of the secret mount to use. | secret |
kv.default-context | The context name used by all applications. | pob/development |
For further information and properties related to loading externalised configuration from HashiCorp Vault, please refer to https://cloud.spring.io/spring-cloud-vault/reference/html/.
azure.keyvault
Configure this namespace if you wish to load externalised configuration from Azure Key Vault.
Property | Description | Example Value |
---|---|---|
enabled | Whether to enable externalised configuration from Azure Key Vault. | true |
client-id | The Azure Key Vault Client ID (this can be identified using the Azure Portal or via the Azure CLI). Note that the Client ID should be set as an environment variable and NOT stored as plaintext in bootstrap.yml. | 83hdbeuhd-c887-83ke-f16ghdss |
client-key | The Azure Key Vault Client Secret (this can be identified using the Azure Portal or via the Azure CLI). Note that the Client Secret should be set as an environment variable and NOT stored as plaintext in bootstrap.yml. | S-g.Klfh88JK8sjd.POk6 |
tenant-id | The Azure Key Vault Tenant ID (this can be identified using the Azure Portal or via the Azure CLI). Note that the Tenant ID should be set as an environment variable and NOT stored as plaintext in bootstrap.yml. | 27dhddfj-9387-8731-shsmnb56s |
uri | The Azure Key Vault URI (this can be identified using the Azure Portal or via the Azure CLI). Note that the URI should be set as an environment variable and NOT stored as plaintext in bootstrap.yml. | https://my-key-vault.vault.azure.net |
For further information and properties related to loading externalised configuration from Azure Key Vault, please refer to https://docs.microsoft.com/en-us/azure/developer/java/spring-framework/configure-spring-boot-starter-java-app-with-azure-key-vault.
aws.secretsmanager
Configure this namespace if you wish to load externalised configuration from AWS Secrets Manager.
Property | Description | Example Value |
---|---|---|
enabled | Whether to enable externalised configuration from AWS Secrets Manager. | true |
name | The name of the secret to lookup containing the configuration as key-value pairs. | pob |
prefix | The name of the prefix indicating the first level for every property. | /secret |
defaultContext | The context name used by all applications. | application |
failFast | Whether to throw exceptions during configuration lookup, otherwise log warnings. | true |
region | The AWS region of the AWS Secrets Manager. | eu-west-2 |
Note that an IAM user with privileges to read secrets from the AWS Secrets Manager must be configured (either via the AWS Management Console or AWS CLI) if you wish to load externalised configuration from AWS Secrets Manager. Thereafter, AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY must be defined as environmental variables and set with the appropriate key and secret associated with the IAM user.
For further information and properties related to loading externalized configuration from AWS Secrets Manager, please refer to https://docs.spring.io/spring-cloud-aws/docs/2.2.4.RELEASE/reference/html/appendix.html.
Last updated