Bootstrap Configuration

Loading and decrypting configuration properties from external sources such as HashiCorp Vault, Azure Key Vault or AWS Secrets Manager.

Last Updated: 26 May 2022 • Page Author: Jillur Quddus

Overview

The POB Spring bootstrap context is responsible for loading and decrypting configuration properties from external sources such as HashiCorp Vault, Azure Key Vault or AWS Secrets Manager.

Location

The configuration for the POB Spring bootstrap context may be found in the pob-configuration Maven module at src/main/resources/bootstrap.yml. The complete configuration file is as follows:

spring:
    application:
        name: pob
    cloud:
        vault:
            enabled: false
            host: localhost
            port: 8200
            scheme: http
            authentication: TOKEN
            token: ${VAULT_TOKEN}
            kv:
                enabled: true
                backend: secret
                default-context: pob/development
azure:
    keyvault:
        enabled: false
        client-id: ${AZURE_KEYVAULT_CLIENT_ID}
        client-key: ${AZURE_KEYVAULT_CLIENT_SECRET}
        tenant-id: ${AZURE_KEYVAULT_TENANT_ID}
        uri: ${AZURE_KEYVAULT_URI}
aws:
    secretsmanager:
        enabled: true
        name: pob
        prefix: /secret
        defaultContext: application
        failFast: true
        region: eu-west-2

Namespaces

spring.cloud.vault

Configure this namespace if you wish to load externalised configuration from HashiCorp Vault.

Property	Description	Example Value
enabled	Whether to enable externalised configuration from HashiCorp Vault.	true
host	HashiCorp Vault hostname. The host name will be used for SSL certificate validation if required.	localhost
port	HashiCorp Vault port.	8200
scheme	Whether to use http or https.	http
authentication	Authentication mechanism to authorise client requests.	TOKEN
token	If using token-based authentication, then the static token to use. Note that the token should be set as an environment variable and NOT stored as plaintext in bootstrap.yml.	s.AB638dhfdnbC7dehq
kv.enabled	Whether to enable the Key-Value secrets backend, supporting storage of arbitrary values as key-value store.	true
kv.backend	The path of the secret mount to use.	secret
kv.default-context	The context name used by all applications.	pob/development

Property

Description

Example Value

enabled

Whether to enable externalised configuration from HashiCorp Vault.

true

host

HashiCorp Vault hostname. The host name will be used for SSL certificate validation if required.

localhost

port

HashiCorp Vault port.

8200

scheme

Whether to use http or https.

http

authentication

Authentication mechanism to authorise client requests.

TOKEN

token

If using token-based authentication, then the static token to use. Note that the token should be set as an environment variable and NOT stored as plaintext in bootstrap.yml.

s.AB638dhfdnbC7dehq

kv.enabled

Whether to enable the Key-Value secrets backend, supporting storage of arbitrary values as key-value store.

true

kv.backend

The path of the secret mount to use.

secret

kv.default-context

The context name used by all applications.

pob/development

For further information and properties related to loading externalised configuration from HashiCorp Vault, please refer to https://cloud.spring.io/spring-cloud-vault/reference/html/.

azure.keyvault

Configure this namespace if you wish to load externalised configuration from Azure Key Vault.

Property	Description	Example Value
enabled	Whether to enable externalised configuration from Azure Key Vault.	true
client-id	The Azure Key Vault Client ID (this can be identified using the Azure Portal or via the Azure CLI). Note that the Client ID should be set as an environment variable and NOT stored as plaintext in bootstrap.yml.	83hdbeuhd-c887-83ke-f16ghdss
client-key	The Azure Key Vault Client Secret (this can be identified using the Azure Portal or via the Azure CLI). Note that the Client Secret should be set as an environment variable and NOT stored as plaintext in bootstrap.yml.	S-g.Klfh88JK8sjd.POk6
tenant-id	The Azure Key Vault Tenant ID (this can be identified using the Azure Portal or via the Azure CLI). Note that the Tenant ID should be set as an environment variable and NOT stored as plaintext in bootstrap.yml.	27dhddfj-9387-8731-shsmnb56s
uri	The Azure Key Vault URI (this can be identified using the Azure Portal or via the Azure CLI). Note that the URI should be set as an environment variable and NOT stored as plaintext in bootstrap.yml.	https://my-key-vault.vault.azure.net

Property

Description

Example Value

enabled

Whether to enable externalised configuration from Azure Key Vault.

true

client-id

The Azure Key Vault Client ID (this can be identified using the Azure Portal or via the Azure CLI). Note that the Client ID should be set as an environment variable and NOT stored as plaintext in bootstrap.yml.

83hdbeuhd-c887-83ke-f16ghdss

client-key

The Azure Key Vault Client Secret (this can be identified using the Azure Portal or via the Azure CLI). Note that the Client Secret should be set as an environment variable and NOT stored as plaintext in bootstrap.yml.

S-g.Klfh88JK8sjd.POk6

tenant-id

The Azure Key Vault Tenant ID (this can be identified using the Azure Portal or via the Azure CLI). Note that the Tenant ID should be set as an environment variable and NOT stored as plaintext in bootstrap.yml.

27dhddfj-9387-8731-shsmnb56s

uri

The Azure Key Vault URI (this can be identified using the Azure Portal or via the Azure CLI). Note that the URI should be set as an environment variable and NOT stored as plaintext in bootstrap.yml.

https://my-key-vault.vault.azure.net

For further information and properties related to loading externalised configuration from Azure Key Vault, please refer to https://docs.microsoft.com/en-us/azure/developer/java/spring-framework/configure-spring-boot-starter-java-app-with-azure-key-vault.

aws.secretsmanager

Configure this namespace if you wish to load externalised configuration from AWS Secrets Manager.

Property	Description	Example Value
enabled	Whether to enable externalised configuration from AWS Secrets Manager.	true
name	The name of the secret to lookup containing the configuration as key-value pairs.	pob
prefix	The name of the prefix indicating the first level for every property.	/secret
defaultContext	The context name used by all applications.	application
failFast	Whether to throw exceptions during configuration lookup, otherwise log warnings.	true
region	The AWS region of the AWS Secrets Manager.	eu-west-2

Property

Description

Example Value

enabled

Whether to enable externalised configuration from AWS Secrets Manager.

true

name

The name of the secret to lookup containing the configuration as key-value pairs.

pob

prefix

The name of the prefix indicating the first level for every property.

/secret

defaultContext

The context name used by all applications.

application

failFast

Whether to throw exceptions during configuration lookup, otherwise log warnings.

true

region

The AWS region of the AWS Secrets Manager.

eu-west-2

Note that an IAM user with privileges to read secrets from the AWS Secrets Manager must be configured (either via the AWS Management Console or AWS CLI) if you wish to load externalised configuration from AWS Secrets Manager. Thereafter, AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY must be defined as environmental variables and set with the appropriate key and secret associated with the IAM user.

For further information and properties related to loading externalized configuration from AWS Secrets Manager, please refer to https://docs.spring.io/spring-cloud-aws/docs/2.2.4.RELEASE/reference/html/appendix.html.

PreviousConfiguration NextApplication Configuration

Last updated 1 year ago