I am trying to use Spring Vault to provide a centralized service which provides storing and retrieving credential information capability for our micro-service eco-system. However our organization currently using cyber-ark for centralizing credentials so what I am looking for is to build a abstraction service which base on Spring Vault and use cyber-arkas storage engine for Harshicorp Vault.
Hashicorp Vault is a known and proven solution used by leading banks and technology giants specifically for application-level secrets (Docker etc). CyberArk might be even a leader in managing enterprise secrets, but make sure it supports the scale of your microservices architecture.
HashiCorp's Vault is a tool to store and secure secrets. Vault, in general, solves the software development security problem of how to manage secrets. To learn more about it, check out our article here. Spring Vault provides Spring abstractions to the HashiCorp's Vault.
Spring Cloud Vault uses Spring Vault to provide a configuration integration for Spring Boot-based applications. Spring Cloud Vault provides configuration data to applications that is encrypted inside Vault.
You can use the Conjur (CyberArk Open Source and Entreprise) vault with Spring Boot. However you must use the java Api as mentioned here:
https://www.conjur.org/blog/loading-your-database-credentials-at-runtime-with-conjur/
1- You must download the conjur java-api from gitHub. (Build it and use as dependency in your spring boot app)
<!-- CONJUR CYBERARK -->
<dependency>
<groupId>net.conjur.api</groupId>
<artifactId>conjur-api</artifactId>
<version>2.2.1</version>
</dependency>
<!-- CONJUR CYBERARK -->
2- Make sure you have configured the conjur server and cli. https://www.conjur.org/get-started/quick-start/oss-environment/
3- Add as environment variables the conjur properties:
CONJUR_ACCOUNT=demo
CONJUR_AUTHN_LOGIN=host/demo-app
CONJUR_AUTHN_API_KEY=smzqbc31zk7gh2svfv8h3cvzy9a2059c399366jgk651343de79z6
CONJUR_APPLIANCE_URL=http://cyberark_conjur_1/api
Note: All above variables you get once you complete the conjur config related in the step 2.
4- In your Spring Boot App you can fetch DB credentials using conjur instead of having that hardcoded in your application.properties/yml as:
@Value("${CONJUR_AUTHN_LOGIN}")
private String conjurHostId;
@Value("${CONJUR_AUTHN_API_KEY}")
private String conjurAPIKey;
@Value("${spring.datasource.url}")
private String datasourceUrl;
@Value("${spring.datasource.driver-class-name}")
private String datasourceDriverClass;
@Bean
public DataSource dataSource() {
Conjur conjur = new Conjur(conjurHostId, conjurAPIKey);
String datasourceUsername =
conjur.variables().retrieveSecret("db/username");
String datasourcePassword =
conjur.variables().retrieveSecret("db/password");
DriverManagerDataSource dataSource = new DriverManagerDataSource();
dataSource.setUsername(datasourceUsername);
dataSource.setPassword(datasourcePassword);
dataSource.setUrl(datasourceUrl);
dataSource.setDriverClassName(datasourceDriverClass);
return dataSource;
}
After all you can run your spring boot app and it will authenticate with conjur and get the username + password for DB.
If you have saved other secrets in conjur server then you can access them as:
public Optional<String> findSecret(final String secretKey) {
try {
Conjur conjur = new Conjur();
String secretFound = conjur.variables().retrieveSecret(secretKey);
return Optional.ofNullable(secretFound);
} catch (Exception e) {
e.printStackTrace();
throw new IllegalArgumentException(e.getMessage());
}
}
I cannot use CyberArk with Spring Cloud Vault. With Spring cloud Vault you have a better abstraction of vault but unfortunatelly only Hashicorp vault is supported (AFAIK).
Any other suggestion will be pretty appreciated.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With