Configuring Spring Cloud Vault Config to pull from a location other than /secret

Question

I am currently integrating Spring Cloud Vault Config into a Spring Boot application. From the home page:

Spring Cloud Vault Config reads config properties from Vaults using the application name and active profiles:

/secret/{application}/{profile}
/secret/{application}
/secret/{default-context}/{profile}
/secret/{default-context}

I would like to instead provide my own location from which to pull properties from Vault which does not start with /secret (e.g. /deployments/prod). I've been looking through the reference documentation but I haven't found anyway to specify this -- is it possible?

Answer 1

I was able to use the Generic Backend properties to massage the paths into what I was looking for. Something like:

spring.cloud.vault:
    generic:
        enabled: true
        backend: deployments
        profile-separator: '/'
        default-context: prod
        application-name: my-app

This will also unfortunately pickup Vault locations like deployments/my-app and deployments/prod/activeProfile so be careful not to have any properties in these locations that you don't want to be picked up.

It looks like there is a desire (and an implementation) to allow for these paths to be specified more programmatically.

Answer 2

It should be done this way.

Have a Configuration class

@Configuration
public class VaultConfiguration {

    @Bean
    public VaultConfigurer configurer() {
        return new VaultConfigurer() {
            @Override
            public void addSecretBackends(SecretBackendConfigurer configurer) {
                configurer.add("secret/my-app/path-1");
                configurer.add("secret/my-app/path-2");

                configurer.registerDefaultGenericSecretBackends(false);
            }
        };
    }
}

This way you can scan your secrets placed in custom path

Regards Arun