How to Isolate Database Credentials in Spring Boot Using Vault


Data privacy and security became critical nowadays. Thus, we need to isolate database credentials and make it transparent to our applications/services.

Sharing is caring!

Overview

In my old post, I wrote about encrypting database credentials using Jasypt. But we still keep encrypted values on properties file. Which means, at some point, developers can decrypt the value and read those credentials.

But..

How about making it truly transparent from application perspective? What I mean by transparent is; the application does not know anything about the credentials. Therefore, in this blog post, I would like to share about securing your database credentials from application point of view.

I will use Hashicorp Vault as a secret management tools. All database credentials will be stored inside Vault, and I will retrieve those credentials while bootstrapping the application.

Use Case

In this use case, I will create a service and I name it as pg_service_1. The service itself will connect to postgres database, just like any ordinary service. However, the difference is, I will not put any database credentials configuration inside properties file. Instead, they will be kept inside Vault.

pg_service_1 will pass the initial token with certain validity period to Vault. Next, by using AppRole authentication mode, the service will retrieve the database credentials during the application start up, using pull secret ID mode. Then the Dummy Service will connect to the database and continue ready to serve requests.

For this purpose, I will have two personas, which are admin and app (pg_service_1).

isolate
vault-spring-boot

Admin

Step 1: Enable AppRole Authentication and Create Vault Policy

Step 2: Write AppRole for pg_service_1

Step 3: Store KV Data

Step 4: Generate Init Token and Pass It to App

App

For App, I will use Spring Boot as our pg_service_1.

Step 1: Add vault dependencies in pom.xml

Step 2: application.yml

Please note I exclude url, username and password under spring.datasouce key.

Step 3: Configure Spring Vault

AppRole authentication with PULL mechanism.

Step 4: Reconfigure Datasource Configuration

Note: set as @Primary bean, extends DataSourceProperties class and override afterPropertiesSet method.

Step 5: Start Application Using Init Token from Admin-Step 4

The service should be up and running; with connection to postgres database.

Conclusion

By using this kind of database credentials isolation, we can make sure only certain people who have access to the credentials. This approach will make your IT ecosystem more secure, audit-able and controllable related user access to production database.

That’s all for now, and source code is in my github repository.

Author: ru rocker

I am a professional software developer with more than 10 years experiences. I am a certified Java Developer (SCJP and SCWCD). However, In the recent months, I have more interest in DevOps and start to become a polyglot developer. Python and Go-lang become my favorite programming languages besides Java.

Leave a Reply

Your email address will not be published. Required fields are marked *