(window.webpackJsonp=window.webpackJsonp||[]).push([[340],{772:function(e,t,n){"use strict";n.r(t);var a=n(56),o=Object(a.a)({},(function(){var e=this,t=e.$createElement,n=e._self._c||t;return n("ContentSlotsDistributor",{attrs:{"slot-key":e.$parent.slotKey}},[n("h1",{attrs:{id:"spring-vault-reference-documentation"}},[n("a",{staticClass:"header-anchor",attrs:{href:"#spring-vault-reference-documentation"}},[e._v("#")]),e._v(" Spring Vault - Reference Documentation")]),e._v(" "),n("h1",{attrs:{id:"preface"}},[n("a",{staticClass:"header-anchor",attrs:{href:"#preface"}},[e._v("#")]),e._v(" Preface")]),e._v(" "),n("p",[e._v('The Spring Vault project applies core Spring concepts to the development of solutions using HashiCorp Vault. We provide a "template" as a high-level abstraction for storing and querying documents. You will notice similarities to the REST support in the Spring Framework.')]),e._v(" "),n("p",[e._v("This document is the reference guide for Spring Vault. It explains Vault concepts and semantics and the syntax.")]),e._v(" "),n("p",[e._v("This part of the reference documentation explains the core functionality offered by Spring Vault.")]),e._v(" "),n("p",[n("a",{attrs:{href:"#vault.core"}},[e._v("Vault support")]),e._v(" introduces the Vault module feature set.")]),e._v(" "),n("h2",{attrs:{id:"_1-document-structure"}},[n("a",{staticClass:"header-anchor",attrs:{href:"#_1-document-structure"}},[e._v("#")]),e._v(" 1. Document Structure")]),e._v(" "),n("p",[e._v("This section provides basic introduction to Spring and Vault.\nIt contains details about following development and how to get support.")]),e._v(" "),n("p",[e._v("The rest of the document refers to Spring Vault features and assumes\nthe user is familiar with "),n("a",{attrs:{href:"https://www.vaultproject.io",target:"_blank",rel:"noopener noreferrer"}},[e._v("HashiCorp Vault"),n("OutboundLink")],1),e._v("as well as Spring concepts.")]),e._v(" "),n("h2",{attrs:{id:"_2-knowing-spring"}},[n("a",{staticClass:"header-anchor",attrs:{href:"#_2-knowing-spring"}},[e._v("#")]),e._v(" 2. Knowing Spring")]),e._v(" "),n("p",[e._v("Spring Vault uses Spring framework’s "),n("a",{attrs:{href:"https://docs.spring.io/spring/docs/5.3.4/spring-framework-reference/core.html",target:"_blank",rel:"noopener noreferrer"}},[e._v("core"),n("OutboundLink")],1),e._v(" functionality, such as "),n("a",{attrs:{href:"https://docs.spring.io/spring/docs/5.3.4/spring-framework-reference//core.html",target:"_blank",rel:"noopener noreferrer"}},[e._v("IoC"),n("OutboundLink")],1),e._v(" container. While it is not important to know the Spring APIs, understanding the concepts behind them is. At a minimum, the idea behind IoC should be familiar for whatever IoC container you choose to use.")]),e._v(" "),n("p",[e._v("The core functionality of the Vault support can be used directly, with no need to invoke the IoC services of the Spring Container. This is much like "),n("code",[e._v("RestTemplate")]),e._v(" which can be used 'standalone' without any other services of the Spring container. To leverage all the features of Spring Vault document, such as the session support, you will need to configure some parts of the library using Spring.")]),e._v(" "),n("p",[e._v("To learn more about Spring, you can refer to the comprehensive (and sometimes disarming) documentation that explains in detail the Spring Framework. There are a lot of articles, blog entries and books on the matter - take a look at the Spring framework "),n("a",{attrs:{href:"https://spring.io/docs",target:"_blank",rel:"noopener noreferrer"}},[e._v("home page "),n("OutboundLink")],1),e._v(" for more information.")]),e._v(" "),n("h2",{attrs:{id:"_3-knowing-vault"}},[n("a",{staticClass:"header-anchor",attrs:{href:"#_3-knowing-vault"}},[e._v("#")]),e._v(" 3. Knowing Vault")]),e._v(" "),n("p",[e._v("Security and working with secrets is a concern of every developer working with databases, user credentials or API keys. Vault steps in by providing a secure storage combined with access control, revocation, key rolling and auditing. In short: Vault is a service for securely accessing and storing secrets. A secret is anything that you want to tightly control access to, such as API keys, passwords, certificates, and more.")]),e._v(" "),n("p",[e._v("The jumping off ground for learning about Vault is "),n("a",{attrs:{href:"https://www.vaultproject.io",target:"_blank",rel:"noopener noreferrer"}},[e._v("www.vaultproject.io"),n("OutboundLink")],1),e._v(". Here is a list of useful resources:")]),e._v(" "),n("ul",[n("li",[n("p",[e._v("The manual introduces Vault and contains links to getting started guides, reference documentation and tutorials.")])]),e._v(" "),n("li",[n("p",[e._v("The online shell provides a convenient way to interact with a Vault instance in combination with the online tutorial.")])]),e._v(" "),n("li",[n("p",[n("a",{attrs:{href:"https://www.vaultproject.io/intro/index.html",target:"_blank",rel:"noopener noreferrer"}},[e._v("HashiCorp Vault Introduction"),n("OutboundLink")],1)])]),e._v(" "),n("li",[n("p",[n("a",{attrs:{href:"https://www.vaultproject.io/docs/index.html",target:"_blank",rel:"noopener noreferrer"}},[e._v("HashiCorp Vault Documentation"),n("OutboundLink")],1)])])]),e._v(" "),n("p",[e._v("Spring Vault provides client-side support for accessing, storing and revoking secrets.\nWith "),n("a",{attrs:{href:"https://www.vaultproject.io",target:"_blank",rel:"noopener noreferrer"}},[e._v("HashiCorp’s Vault"),n("OutboundLink")],1),e._v(" you have a central place to\nmanage external secret data for applications across all environments.\nVault can manage static and dynamic secrets such as application data,\nusername/password for remote applications/resources and provide credentials\nfor external services such as MySQL, PostgreSQL, Apache Cassandra, Consul, AWS and more.")]),e._v(" "),n("h2",{attrs:{id:"_4-requirements"}},[n("a",{staticClass:"header-anchor",attrs:{href:"#_4-requirements"}},[e._v("#")]),e._v(" 4. Requirements")]),e._v(" "),n("p",[e._v("Spring Vault 2.x binaries requires JDK level 8.0 and above, and "),n("a",{attrs:{href:"https://spring.io/docs",target:"_blank",rel:"noopener noreferrer"}},[e._v("Spring Framework"),n("OutboundLink")],1),e._v(" 5.3.4 and above.")]),e._v(" "),n("p",[e._v("In terms of Vault, "),n("a",{attrs:{href:"https://www.vaultproject.io/",target:"_blank",rel:"noopener noreferrer"}},[e._v("Vault"),n("OutboundLink")],1),e._v(" at least 0.6.")]),e._v(" "),n("h2",{attrs:{id:"_5-additional-help-resources"}},[n("a",{staticClass:"header-anchor",attrs:{href:"#_5-additional-help-resources"}},[e._v("#")]),e._v(" 5. Additional Help Resources")]),e._v(" "),n("p",[e._v("Learning a new framework is not always straight forward. In this section, we try to provide what we think is an easy to follow guide for starting with Spring Vault module. However, if you encounter issues or you are just looking for advice, feel free to use one of the links below:")]),e._v(" "),n("h3",{attrs:{id:"_5-1-support"}},[n("a",{staticClass:"header-anchor",attrs:{href:"#_5-1-support"}},[e._v("#")]),e._v(" 5.1. Support")]),e._v(" "),n("p",[e._v("There are a few support options available:")]),e._v(" "),n("h4",{attrs:{id:"_5-1-1-community-forum"}},[n("a",{staticClass:"header-anchor",attrs:{href:"#_5-1-1-community-forum"}},[e._v("#")]),e._v(" 5.1.1. Community Forum")]),e._v(" "),n("p",[e._v("Post questions questions regarding Spring Vault on "),n("a",{attrs:{href:"https://stackoverflow.com/questions/tagged/spring-vault",target:"_blank",rel:"noopener noreferrer"}},[e._v("Stackoverflow"),n("OutboundLink")],1),e._v(" to share information and help each other. Note that registration is needed "),n("strong",[e._v("only")]),e._v(" for posting.")]),e._v(" "),n("h4",{attrs:{id:"_5-1-2-professional-support"}},[n("a",{staticClass:"header-anchor",attrs:{href:"#_5-1-2-professional-support"}},[e._v("#")]),e._v(" 5.1.2. Professional Support")]),e._v(" "),n("p",[e._v("Professional, from-the-source support, with guaranteed response time, is available from "),n("a",{attrs:{href:"https://pivotal.io/",target:"_blank",rel:"noopener noreferrer"}},[e._v("Pivotal Sofware, Inc."),n("OutboundLink")],1),e._v(", the company behind Spring Vault and Spring.")]),e._v(" "),n("h3",{attrs:{id:"_5-2-following-development"}},[n("a",{staticClass:"header-anchor",attrs:{href:"#_5-2-following-development"}},[e._v("#")]),e._v(" 5.2. Following Development")]),e._v(" "),n("p",[e._v("For information on the Spring Vault source code repository, nightly builds and snapshot artifacts please see the "),n("a",{attrs:{href:"https://projects.spring.io/spring-vault/",target:"_blank",rel:"noopener noreferrer"}},[e._v("Spring Vault homepage"),n("OutboundLink")],1),e._v(". You can help make Spring Vault best serve the needs of the Spring community by interacting with developers through the Community on "),n("a",{attrs:{href:"https://stackoverflow.com/questions/tagged/spring-vault",target:"_blank",rel:"noopener noreferrer"}},[e._v("Stackoverflow"),n("OutboundLink")],1),e._v(". If you encounter a bug or want to suggest an improvement, please create a ticket on the Spring Vault issue "),n("a",{attrs:{href:"https://github.com/spring-projects/spring-vault/issues",target:"_blank",rel:"noopener noreferrer"}},[e._v("tracker"),n("OutboundLink")],1),e._v(". To stay up to date with the latest news and announcements in the Spring ecosystem, subscribe to the Spring Community "),n("a",{attrs:{href:"https://spring.io",target:"_blank",rel:"noopener noreferrer"}},[e._v("Portal"),n("OutboundLink")],1),e._v(". Lastly, you can follow the Spring "),n("a",{attrs:{href:"https://spring.io/blog",target:"_blank",rel:"noopener noreferrer"}},[e._v("blog "),n("OutboundLink")],1),e._v("or the project team on Twitter ("),n("a",{attrs:{href:"https://twitter.com/springcentral",target:"_blank",rel:"noopener noreferrer"}},[e._v("SpringCentral"),n("OutboundLink")],1),e._v(").")]),e._v(" "),n("h2",{attrs:{id:"_6-new-noteworthy"}},[n("a",{staticClass:"header-anchor",attrs:{href:"#_6-new-noteworthy"}},[e._v("#")]),e._v(" 6. New & Noteworthy")]),e._v(" "),n("h3",{attrs:{id:"_6-1-what-s-new-in-spring-vault-2-3"}},[n("a",{staticClass:"header-anchor",attrs:{href:"#_6-1-what-s-new-in-spring-vault-2-3"}},[e._v("#")]),e._v(" 6.1. What’s new in Spring Vault 2.3")]),e._v(" "),n("ul",[n("li",[n("p",[e._v("Support for PEM-encoded certificates for keystore and truststore usage.")])]),e._v(" "),n("li",[n("p",[n("code",[e._v("ReactiveVaultEndpointProvider")]),e._v(" for non-blocking lookup of "),n("code",[e._v("VaultEndpoint")]),e._v(".")])]),e._v(" "),n("li",[n("p",[n("code",[e._v("VaultKeyValueMetadataOperations")]),e._v(" for Key-Value metadata interaction.")])]),e._v(" "),n("li",[n("p",[e._v("Support for "),n("code",[e._v("transform")]),e._v(" backend (Enterprise Feature).")])]),e._v(" "),n("li",[n("p",[e._v("Documentation of "),n("a",{attrs:{href:"#vault.core.secret-engines"}},[e._v("how to use Vault secret backends")]),e._v(".")])]),e._v(" "),n("li",[n("p",[e._v("Login credentials for Kubernetes and PCF authentication are reloaded for each login attempt.")])]),e._v(" "),n("li",[n("p",[n("code",[e._v("SecretLeaseContainer")]),e._v(" publishes "),n("code",[e._v("SecretLeaseRotatedEvent")]),e._v(" instead of "),n("code",[e._v("SecretLeaseExpiredEvent")]),e._v(" and "),n("code",[e._v("SecretLeaseCreatedEvent")]),e._v(" on successful secret rotation.")])]),e._v(" "),n("li",[n("p",[n("code",[e._v("AbstractVaultConfiguration.threadPoolTaskScheduler()")]),e._v(" bean type changed to "),n("code",[e._v("TaskSchedulerWrapper")]),e._v(" instead of "),n("code",[e._v("ThreadPoolTaskScheduler")]),e._v(".")])])]),e._v(" "),n("h3",{attrs:{id:"_6-2-what-s-new-in-spring-vault-2-2"}},[n("a",{staticClass:"header-anchor",attrs:{href:"#_6-2-what-s-new-in-spring-vault-2-2"}},[e._v("#")]),e._v(" 6.2. What’s new in Spring Vault 2.2")]),e._v(" "),n("ul",[n("li",[n("p",[e._v("Support for Key-Value v2 (versioned backend) secrets through "),n("code",[e._v("@VaultPropertySource")]),e._v(".")])]),e._v(" "),n("li",[n("p",[e._v("SpEL support in "),n("code",[e._v("@Secret")]),e._v(".")])]),e._v(" "),n("li",[n("p",[e._v("Add support for Jetty as reactive HttpClient.")])]),e._v(" "),n("li",[n("p",[n("code",[e._v("LifecycleAwareSessionManager")]),e._v(" and "),n("code",[e._v("ReactiveLifecycleAwareSessionManager")]),e._v(" emit now "),n("code",[e._v("AuthenticationEvent")]),e._v("s.")])]),e._v(" "),n("li",[n("p",[n("a",{attrs:{href:"#vault.authentication.pcf"}},[e._v("PCF authentication")]),e._v(".")])]),e._v(" "),n("li",[n("p",[e._v("Deprecation of "),n("code",[e._v("AppIdAuthentication")]),e._v(".\nUse "),n("code",[e._v("AppRoleAuthentication")]),e._v(" instead as recommended by HashiCorp Vault.")])]),e._v(" "),n("li",[n("p",[n("code",[e._v("CubbyholeAuthentication")]),e._v(" and wrapped "),n("code",[e._v("AppRoleAuthentication")]),e._v(" now use "),n("code",[e._v("sys/wrapping/unwrap")]),e._v(" endpoints by default.")])]),e._v(" "),n("li",[n("p",[e._v("Kotlin Coroutines support for "),n("code",[e._v("ReactiveVaultOperations")]),e._v(".")])])]),e._v(" "),n("h3",{attrs:{id:"_6-3-what-s-new-in-spring-vault-2-1"}},[n("a",{staticClass:"header-anchor",attrs:{href:"#_6-3-what-s-new-in-spring-vault-2-1"}},[e._v("#")]),e._v(" 6.3. What’s new in Spring Vault 2.1")]),e._v(" "),n("ul",[n("li",[n("p",[n("a",{attrs:{href:"#vault.authentication.gcpgce"}},[e._v("GCP Compute")]),e._v(", "),n("a",{attrs:{href:"#vault.authentication.gcpiam"}},[e._v("GCP IAM")]),e._v(", and "),n("a",{attrs:{href:"#vault.authentication.azuremsi"}},[e._v("Azure")]),e._v(" authentication.")])]),e._v(" "),n("li",[n("p",[e._v("Template API support for versioned and unversioned Key/Value backends and for Vault wrapping operations.")])]),e._v(" "),n("li",[n("p",[e._v("Support full pull mode in reactive AppRole authentication.")])]),e._v(" "),n("li",[n("p",[e._v("Improved Exception hierarchy for Vault login failures.")])])]),e._v(" "),n("h3",{attrs:{id:"_6-4-what-s-new-in-spring-vault-2-0"}},[n("a",{staticClass:"header-anchor",attrs:{href:"#_6-4-what-s-new-in-spring-vault-2-0"}},[e._v("#")]),e._v(" 6.4. What’s new in Spring Vault 2.0")]),e._v(" "),n("ul",[n("li",[n("p",[e._v("Authentication steps DSL to "),n("a",{attrs:{href:"#vault.authentication.steps"}},[e._v("compose authentication flows")]),e._v(".")])]),e._v(" "),n("li",[n("p",[n("a",{attrs:{href:"#vault.core.reactive.template"}},[e._v("Reactive Vault client")]),e._v(" via "),n("code",[e._v("ReactiveVaultOperations")]),e._v(".")])]),e._v(" "),n("li",[n("p",[n("a",{attrs:{href:"#vault.repositories"}},[e._v("Vault repository support")]),e._v(" based on Spring Data KeyValue.")])]),e._v(" "),n("li",[n("p",[e._v("Transit batch encrypt and decrypt support.")])]),e._v(" "),n("li",[n("p",[e._v("Policy management for policies stored as JSON.")])]),e._v(" "),n("li",[n("p",[e._v("Support CSR signing, certificate revocation and CRL retrieval.")])]),e._v(" "),n("li",[n("p",[n("a",{attrs:{href:"#vault.authentication.kubernetes"}},[e._v("Kubernetes authentication")]),e._v(".")])]),e._v(" "),n("li",[n("p",[e._v("RoleId/SecretId unwrapping for "),n("a",{attrs:{href:"#vault.authentication.approle"}},[e._v("AppRole authentication")]),e._v(".")])]),e._v(" "),n("li",[n("p",[n("a",{attrs:{href:"#vault.misc.spring-security"}},[e._v("Spring Security integration")]),e._v(" with transit backend-based "),n("code",[e._v("BytesKeyGenerator")]),e._v(" and "),n("code",[e._v("BytesEncryptor")]),e._v(".")])])]),e._v(" "),n("h3",{attrs:{id:"_6-5-what-s-new-in-spring-vault-1-1-0"}},[n("a",{staticClass:"header-anchor",attrs:{href:"#_6-5-what-s-new-in-spring-vault-1-1-0"}},[e._v("#")]),e._v(" 6.5. What’s new in Spring Vault 1.1.0")]),e._v(" "),n("ul",[n("li",[n("p",[n("a",{attrs:{href:"#vault.authentication.awsiam"}},[e._v("AWS IAM authentication")]),e._v(".")])]),e._v(" "),n("li",[n("p",[e._v("Configuration of encryption/decryption versions for transit keys.")])]),e._v(" "),n("li",[n("p",[e._v("Pull mode for "),n("a",{attrs:{href:"#vault.authentication.approle"}},[e._v("AppRole authentication")]),e._v(".")])]),e._v(" "),n("li",[n("p",[e._v("Transit batch encrypt and decrypt support.")])]),e._v(" "),n("li",[n("p",[e._v("TTL-based generic secret rotation.")])])]),e._v(" "),n("h3",{attrs:{id:"_6-6-what-s-new-in-spring-vault-1-0"}},[n("a",{staticClass:"header-anchor",attrs:{href:"#_6-6-what-s-new-in-spring-vault-1-0"}},[e._v("#")]),e._v(" 6.6. What’s new in Spring Vault 1.0")]),e._v(" "),n("ul",[n("li",[e._v("Initial Vault support.")])]),e._v(" "),n("h1",{attrs:{id:"reference-documentation"}},[n("a",{staticClass:"header-anchor",attrs:{href:"#reference-documentation"}},[e._v("#")]),e._v(" Reference documentation")]),e._v(" "),n("h2",{attrs:{id:"_7-vault-support"}},[n("a",{staticClass:"header-anchor",attrs:{href:"#_7-vault-support"}},[e._v("#")]),e._v(" 7. Vault support")]),e._v(" "),n("p",[e._v("The Vault support contains a wide range of features which are summarized below.")]),e._v(" "),n("ul",[n("li",[n("p",[e._v("Spring configuration support using Java based @Configuration classes")])]),e._v(" "),n("li",[n("p",[n("code",[e._v("VaultTemplate")]),e._v(" helper class that increases productivity performing common\nVault operations. Includes integrated object mapping between Vault responses and POJOs.")])])]),e._v(" "),n("p",[e._v("For most tasks, you will find yourself using "),n("code",[e._v("VaultTemplate")]),e._v(" that leverages the\nrich communication functionality. "),n("code",[e._v("VaultTemplate")]),e._v(" is the place to look for\naccessing functionality such as reading data from Vault or issuing\nadministrative commands. "),n("code",[e._v("VaultTemplate")]),e._v(" also provides callback methods so that it is easy for you to\nget a hold of the low-level API artifacts such as "),n("code",[e._v("RestTemplate")]),e._v(" to communicate\ndirectly with Vault.")]),e._v(" "),n("h3",{attrs:{id:"_7-1-dependencies"}},[n("a",{staticClass:"header-anchor",attrs:{href:"#_7-1-dependencies"}},[e._v("#")]),e._v(" 7.1. Dependencies")]),e._v(" "),n("p",[e._v("The easiest way to find compatible versions of Spring Vault dependencies is by relying on the Spring Vault BOM we ship with the compatible versions defined.\nIn a Maven project you would declare this dependency in the"),n("code",[e._v("")]),e._v(" section of your "),n("code",[e._v("pom.xml")]),e._v(":")]),e._v(" "),n("p",[e._v("Example 1. Using the Spring Vault BOM")]),e._v(" "),n("div",{staticClass:"language- extra-class"},[n("pre",{pre:!0,attrs:{class:"language-text"}},[n("code",[e._v("\n \n \n org.springframework.vault\n spring-vault-dependencies\n 2.3.1\n import\n pom\n \n \n\n")])])]),n("p",[e._v("The current version is "),n("code",[e._v("2.3.1")]),e._v(".\nThe version name follows the following patterns: "),n("code",[e._v("${version}")]),e._v(" for GA and service releases and "),n("code",[e._v("${version}-${release}")]),e._v(" for snapshots and milestones. "),n("code",[e._v("release")]),e._v(" can be one of the following:")]),e._v(" "),n("ul",[n("li",[n("p",[n("code",[e._v("SNAPSHOT")]),e._v(" - current snapshots")])]),e._v(" "),n("li",[n("p",[n("code",[e._v("M1")]),e._v(", "),n("code",[e._v("M2")]),e._v(" etc. - milestones")])]),e._v(" "),n("li",[n("p",[n("code",[e._v("RC1")]),e._v(", "),n("code",[e._v("RC2")]),e._v(" etc. - release candidates")])])]),e._v(" "),n("p",[e._v("Example 2. Declaring a dependency to Spring Vault")]),e._v(" "),n("div",{staticClass:"language- extra-class"},[n("pre",{pre:!0,attrs:{class:"language-text"}},[n("code",[e._v("\n \n org.springframework.vault\n spring-vault-core\n \n\n")])])]),n("h3",{attrs:{id:"_7-2-spring-framework"}},[n("a",{staticClass:"header-anchor",attrs:{href:"#_7-2-spring-framework"}},[e._v("#")]),e._v(" 7.2. Spring Framework")]),e._v(" "),n("p",[e._v("The current version of Spring Vault requires Spring Framework in version\n5.3.4 or better.\nThe modules might also work with an older bugfix version of that minor version.\nHowever, using the most recent version within that generation is highly recommended.")]),e._v(" "),n("h2",{attrs:{id:"_8-getting-started"}},[n("a",{staticClass:"header-anchor",attrs:{href:"#_8-getting-started"}},[e._v("#")]),e._v(" 8. Getting Started")]),e._v(" "),n("p",[e._v("Spring Vault support requires Vault 0.6 or higher and Java SE 6 or higher.\nAn easy way to bootstrap setting up a working environment is to create a\nSpring based project in "),n("a",{attrs:{href:"https://spring.io/tools/sts",target:"_blank",rel:"noopener noreferrer"}},[e._v("STS"),n("OutboundLink")],1),e._v(".")]),e._v(" "),n("p",[e._v("First you need to set up a running Vault server.\nRefer to the "),n("a",{attrs:{href:"https://www.vaultproject.io/intro/",target:"_blank",rel:"noopener noreferrer"}},[e._v("Vault"),n("OutboundLink")],1),e._v(" for an explanation on how to startup a Vault instance.")]),e._v(" "),n("p",[e._v("To create a Spring project in STS go to File → New →\nSpring Template Project → Simple Spring Utility Project →\npress Yes when prompted. Then enter a project and a package name such as "),n("code",[e._v("org.spring.vault.example")]),e._v(".")]),e._v(" "),n("p",[e._v("Then add the following to "),n("code",[e._v("pom.xml")]),e._v(" dependencies section.")]),e._v(" "),n("p",[e._v("Example 3. Adding Spring Vault dependency")]),e._v(" "),n("div",{staticClass:"language- extra-class"},[n("pre",{pre:!0,attrs:{class:"language-text"}},[n("code",[e._v("\n\n \x3c!-- other dependency elements omitted --\x3e\n\n \n org.springframework.vault\n spring-vault-core\n 2.3.1\n \n\n\n")])])]),n("p",[e._v("If you are using a milestone or release candidate, you will also need to add the location of the Spring\nMilestone repository to your maven "),n("code",[e._v("pom.xml")]),e._v(" which is at the same level of your "),n("code",[e._v("")]),e._v(" element.")]),e._v(" "),n("div",{staticClass:"language- extra-class"},[n("pre",{pre:!0,attrs:{class:"language-text"}},[n("code",[e._v("\n \n spring-milestone\n Spring Maven MILESTONE Repository\n https://repo.spring.io/libs-milestone\n \n\n")])])]),n("p",[e._v("The repository is also "),n("a",{attrs:{href:"https://repo.spring.io/milestone/org/springframework/vault/",target:"_blank",rel:"noopener noreferrer"}},[e._v("browseable here"),n("OutboundLink")],1),e._v(".")]),e._v(" "),n("p",[e._v("If you are using a SNAPSHOT, you will also need to add the location of the Spring\nSnapshot repository to your maven "),n("code",[e._v("pom.xml")]),e._v(" which is at the same level of your "),n("code",[e._v("")]),e._v(" element.")]),e._v(" "),n("div",{staticClass:"language- extra-class"},[n("pre",{pre:!0,attrs:{class:"language-text"}},[n("code",[e._v("\n \n spring-snapshot\n Spring Maven SNAPSHOT Repository\n https://repo.spring.io/libs-snapshot\n \n\n")])])]),n("p",[e._v("The repository is also "),n("a",{attrs:{href:"https://repo.spring.io/snapshot/org/springframework/vault/",target:"_blank",rel:"noopener noreferrer"}},[e._v("browseable here"),n("OutboundLink")],1),e._v(".")]),e._v(" "),n("p",[e._v("Create a simple "),n("code",[e._v("Secrets")]),e._v(" class to persist:")]),e._v(" "),n("p",[e._v("Example 4. Mapped data object")]),e._v(" "),n("div",{staticClass:"language- extra-class"},[n("pre",{pre:!0,attrs:{class:"language-text"}},[n("code",[e._v("package org.spring.vault.example;\n\npublic class Secrets {\n\n String username;\n String password;\n\n public String getUsername() {\n return username;\n }\n\n public String getPassword() {\n return password;\n }\n}\n")])])]),n("p",[e._v("And a main application to run")]),e._v(" "),n("p",[e._v("Example 5. Example application using Spring Vault")]),e._v(" "),n("div",{staticClass:"language- extra-class"},[n("pre",{pre:!0,attrs:{class:"language-text"}},[n("code",[e._v('package org.springframework.vault.example;\n\nimport org.springframework.vault.authentication.TokenAuthentication;\nimport org.springframework.vault.client.VaultEndpoint;\nimport org.springframework.vault.core.VaultTemplate;\nimport org.springframework.vault.support.VaultResponseSupport;\n\npublic class VaultApp {\n\n public static void main(String[] args) {\n\n VaultTemplate vaultTemplate = new VaultTemplate(new VaultEndpoint(),\n new TokenAuthentication("00000000-0000-0000-0000-000000000000"));\n\n Secrets secrets = new Secrets();\n secrets.username = "hello";\n secrets.password = "world";\n\n vaultTemplate.write("secret/myapp", secrets);\n\n VaultResponseSupport response = vaultTemplate.read("secret/myapp", Secrets.class);\n System.out.println(response.getData().getUsername());\n\n vaultTemplate.delete("secret/myapp");\n }\n}\n')])])]),n("p",[e._v("Even in this simple example, there are few things to take notice of")]),e._v(" "),n("ul",[n("li",[n("p",[e._v("You can instantiate the central class of Spring Vault,"),n("a",{attrs:{href:"#vault.core.template"}},[n("code",[e._v("VaultTemplate")])]),e._v(", using the "),n("code",[e._v("org.springframework.vault.client.VaultEndpoint")]),e._v("object and the "),n("code",[e._v("ClientAuthentication")]),e._v(".\nYou are not required to spin up a Spring Context to use Spring Vault.")])]),e._v(" "),n("li",[n("p",[e._v("Vault is expected to be configured with a root token of"),n("code",[e._v("00000000-0000-0000-0000-000000000000")]),e._v(" to run this application.")])]),e._v(" "),n("li",[n("p",[e._v("The mapper works against standard POJO objects without the need for any\nadditional metadata (though you can optionally provide that information).")])]),e._v(" "),n("li",[n("p",[e._v("Mapping conventions can use field access. Notice the "),n("code",[e._v("Secrets")]),e._v(" class has only getters.")])]),e._v(" "),n("li",[n("p",[e._v("If the constructor argument names match the field names of the stored document,\nthey will be used to instantiate the object.")])])]),e._v(" "),n("h2",{attrs:{id:"_9-introduction-to-vaulttemplate"}},[n("a",{staticClass:"header-anchor",attrs:{href:"#_9-introduction-to-vaulttemplate"}},[e._v("#")]),e._v(" 9. Introduction to VaultTemplate")]),e._v(" "),n("p",[e._v("The class "),n("code",[e._v("VaultTemplate")]),e._v(", located in the package "),n("code",[e._v("org.springframework.vault.core")]),e._v(",\nis the central class of the Spring’s Vault support providing a rich feature set to\ninteract with Vault. The template offers convenience operations to read, write and\ndelete data in Vault and provides a mapping between your domain objects and Vault data.")]),e._v(" "),n("table",[n("thead",[n("tr",[n("th"),e._v(" "),n("th",[e._v("Once configured, "),n("code",[e._v("VaultTemplate")]),e._v(" is thread-safe and can be reused across"),n("br"),e._v("multiple instances.")])])]),e._v(" "),n("tbody")]),e._v(" "),n("p",[e._v("The mapping between Vault documents and domain classes is done by delegating to"),n("code",[e._v("RestTemplate")]),e._v(". Spring Web support provides the mapping infrastructure.")]),e._v(" "),n("p",[e._v("The "),n("code",[e._v("VaultTemplate")]),e._v(" class implements the interface "),n("code",[e._v("VaultOperations")]),e._v(".\nIn as much as possible, the methods on "),n("code",[e._v("VaultOperations")]),e._v(' are named after methods\navailable on the Vault API to make the API familiar to existing Vault developers\nwho are used to the API and CLI. For example, you will find methods such as\n"write", "delete", "read", and "revoke".\nThe design goal was to make it as easy as possible to transition between\nthe use of the Vault API and '),n("code",[e._v("VaultOperations")]),e._v(". A major difference in between\nthe two APIs is that "),n("code",[e._v("VaultOperations")]),e._v(" can be passed domain objects instead of\nJSON Key-Value pairs.")]),e._v(" "),n("table",[n("thead",[n("tr",[n("th"),e._v(" "),n("th",[e._v("The preferred way to reference the operations on "),n("code",[e._v("VaultTemplate")]),e._v(" instance"),n("br"),e._v("is via its interface "),n("code",[e._v("VaultOperations")]),e._v(".")])])]),e._v(" "),n("tbody")]),e._v(" "),n("p",[e._v("While there are many convenience methods on "),n("code",[e._v("VaultTemplate")]),e._v(" to help you easily\nperform common tasks if you should need to access the Vault API directly to access\nfunctionality not explicitly exposed by the "),n("code",[e._v("VaultTemplate")]),e._v(" you can use one of\nseveral execute callback methods to access underlying APIs. The execute callbacks\nwill give you a reference to a "),n("code",[e._v("RestOperations")]),e._v(" object.\nPlease see the section "),n("a",{attrs:{href:"#vault.core.executioncallback"}},[e._v("Execution Callbacks")]),e._v(" for more information.")]),e._v(" "),n("p",[e._v("Now let’s look at a examples of how to work with Vault in the context of the Spring container.")]),e._v(" "),n("h3",{attrs:{id:"_9-1-registering-and-configuring-spring-vault-beans"}},[n("a",{staticClass:"header-anchor",attrs:{href:"#_9-1-registering-and-configuring-spring-vault-beans"}},[e._v("#")]),e._v(" 9.1. Registering and configuring Spring Vault beans")]),e._v(" "),n("p",[e._v("Using Spring Vault does not require a Spring Context. However, instances of "),n("code",[e._v("VaultTemplate")]),e._v(" and "),n("code",[e._v("SessionManager")]),e._v(" registered inside a managed context will participate\nin "),n("a",{attrs:{href:"https://docs.spring.io/spring/docs/5.3.4/spring-framework-reference/core.html#beans-factory-nature",target:"_blank",rel:"noopener noreferrer"}},[e._v("lifecycle events"),n("OutboundLink")],1),e._v("provided by the Spring IoC container. This is useful to dispose active Vault sessions upon\napplication shutdown. You also benefit from reusing the same "),n("code",[e._v("VaultTemplate")]),e._v("instance across your application.")]),e._v(" "),n("p",[e._v("Spring Vault comes with a supporting configuration class that provides bean definitions\nfor use inside a Spring context. Application configuration\nclasses typically extend from "),n("code",[e._v("AbstractVaultConfiguration")]),e._v(" and are required to\nprovide additional details that are environment specific.")]),e._v(" "),n("p",[e._v("Extending from "),n("code",[e._v("AbstractVaultConfiguration")]),e._v(" requires to implement\n"),n("code",[e._v("VaultEndpoint vaultEndpoint()")]),e._v(" and "),n("code",[e._v("ClientAuthentication clientAuthentication()")]),e._v("methods.")]),e._v(" "),n("p",[e._v("Example 6. Registering Spring Vault objects using Java based bean metadata")]),e._v(" "),n("div",{staticClass:"language- extra-class"},[n("pre",{pre:!0,attrs:{class:"language-text"}},[n("code",[e._v('@Configuration\npublic class AppConfig extends AbstractVaultConfiguration {\n\n /**\n * Specify an endpoint for connecting to Vault.\n */\n @Override\n public VaultEndpoint vaultEndpoint() {\n return new VaultEndpoint(); (1)\n }\n\n /**\n * Configure a client authentication.\n * Please consider a more secure authentication method\n * for production use.\n */\n @Override\n public ClientAuthentication clientAuthentication() {\n return new TokenAuthentication("…"); (2)\n }\n}\n')])])]),n("table",[n("thead",[n("tr",[n("th",[n("strong",[e._v("1")])]),e._v(" "),n("th",[e._v("Create a new "),n("code",[e._v("VaultEndpoint")]),e._v(" that points by default to "),n("code",[e._v("https://localhost:8200")]),e._v(".")])])]),e._v(" "),n("tbody",[n("tr",[n("td",[n("strong",[e._v("2")])]),e._v(" "),n("td",[e._v("This sample uses "),n("code",[e._v("TokenAuthentication")]),e._v(" to get started quickly."),n("br"),e._v("See "),n("a",{attrs:{href:"#vault.core.authentication"}},[e._v("Authentication Methods")]),e._v(" for details on supported authentication methods.")])])])]),e._v(" "),n("p",[e._v("Example 7. Registering Spring Vault applying injected properties")]),e._v(" "),n("div",{staticClass:"language- extra-class"},[n("pre",{pre:!0,attrs:{class:"language-text"}},[n("code",[e._v('@Configuration\npublic class AppConfig extends AbstractVaultConfiguration {\n\n @Value("${vault.uri}")\n URI vaultUri;\n\n /**\n * Specify an endpoint that was injected as URI.\n */\n @Override\n public VaultEndpoint vaultEndpoint() {\n return VaultEndpoint.from(vaultUri); (1)\n }\n\n /**\n * Configure a Client Certificate authentication.\n * {@link RestOperations} can be obtained from {@link #restOperations()}.\n */\n @Override\n public ClientAuthentication clientAuthentication() {\n return new ClientCertificateAuthentication(restOperations()); (2)\n }\n}\n')])])]),n("table",[n("thead",[n("tr",[n("th",[n("strong",[e._v("1")])]),e._v(" "),n("th",[n("code",[e._v("VaultEndpoint")]),e._v(" can be constructed using various factory methods such as"),n("code",[e._v("from(URI uri)")]),e._v(" or "),n("code",[e._v("VaultEndpoint.create(String host, int port)")]),e._v(".")])])]),e._v(" "),n("tbody",[n("tr",[n("td",[n("strong",[e._v("2")])]),e._v(" "),n("td",[e._v("Dependencies for "),n("code",[e._v("ClientAuthentication")]),e._v(" methods can be obtained either from"),n("code",[e._v("AbstractVaultConfiguration")]),e._v(" or provided by your configuration.")])])])]),e._v(" "),n("table",[n("thead",[n("tr",[n("th"),e._v(" "),n("th",[e._v("Creating a custom configuration class might be cumbersome in some cases."),n("br"),e._v("Take a look at "),n("code",[e._v("EnvironmentVaultConfiguration")]),e._v(" that allows configuration by using"),n("br"),e._v("properties from existing property sources and Spring’s "),n("code",[e._v("Environment")]),e._v(". Read more"),n("br"),e._v("in "),n("a",{attrs:{href:"#vault.core.environment-vault-configuration"}},[e._v("Using "),n("code",[e._v("EnvironmentVaultConfiguration")])]),e._v(".")])])]),e._v(" "),n("tbody")]),e._v(" "),n("h3",{attrs:{id:"_9-2-session-management"}},[n("a",{staticClass:"header-anchor",attrs:{href:"#_9-2-session-management"}},[e._v("#")]),e._v(" 9.2. Session Management")]),e._v(" "),n("p",[e._v("Spring Vault requires a "),n("code",[e._v("ClientAuthentication")]),e._v(" to login and access Vault.\nSee "),n("a",{attrs:{href:"#vault.core.authentication"}},[e._v("Authentication Methods")]),e._v(" on details regarding authentication.\nVault login should not occur on each authenticated Vault interaction but\nmust be reused throughout a session. This aspect is handled by a"),n("code",[e._v("SessionManager")]),e._v(" implementation. A "),n("code",[e._v("SessionManager")]),e._v(" decides how often it\nobtains a token, about revocation and renewal. Spring Vault comes with two implementations:")]),e._v(" "),n("ul",[n("li",[n("p",[n("code",[e._v("SimpleSessionManager")]),e._v(": Just obtains tokens from the supplied"),n("code",[e._v("ClientAuthentication")]),e._v(" without refresh and revocation")])]),e._v(" "),n("li",[n("p",[n("code",[e._v("LifecycleAwareSessionManager")]),e._v(": This "),n("code",[e._v("SessionManager")]),e._v(" schedules token\nrenewal if a token is renewable and revoke a login token on disposal.\nRenewal is scheduled with an "),n("code",[e._v("AsyncTaskExecutor")]),e._v(". "),n("code",[e._v("LifecycleAwareSessionManager")]),e._v("is configured by default if using "),n("code",[e._v("AbstractVaultConfiguration")]),e._v(".")])])]),e._v(" "),n("h3",{attrs:{id:"_9-3-using-environmentvaultconfiguration"}},[n("a",{staticClass:"header-anchor",attrs:{href:"#_9-3-using-environmentvaultconfiguration"}},[e._v("#")]),e._v(" 9.3. Using "),n("code",[e._v("EnvironmentVaultConfiguration")])]),e._v(" "),n("p",[e._v("Spring Vault includes "),n("code",[e._v("EnvironmentVaultConfiguration")]),e._v(" configure the Vault client from Spring’s "),n("code",[e._v("Environment")]),e._v(" and a set of predefined\nproperty keys. "),n("code",[e._v("EnvironmentVaultConfiguration")]),e._v(" supports frequently applied configurations. Other configurations are supported by deriving from the most appropriate configuration class. Include "),n("code",[e._v("EnvironmentVaultConfiguration")]),e._v(" with "),n("code",[e._v("@Import(EnvironmentVaultConfiguration.class)")]),e._v(" to existing\nJava-based configuration classes and supply configuration properties through any of Spring’s "),n("code",[e._v("PropertySource")]),e._v("s.")]),e._v(" "),n("p",[e._v("Example 8. Using EnvironmentVaultConfiguration with a property file")]),e._v(" "),n("p",[e._v("Java-based configuration class")]),e._v(" "),n("div",{staticClass:"language- extra-class"},[n("pre",{pre:!0,attrs:{class:"language-text"}},[n("code",[e._v('@PropertySource("vault.properties")\n@Import(EnvironmentVaultConfiguration.class)\npublic class MyConfiguration{\n}\n')])])]),n("p",[e._v("vault.properties")]),e._v(" "),n("div",{staticClass:"language- extra-class"},[n("pre",{pre:!0,attrs:{class:"language-text"}},[n("code",[e._v("vault.uri=https://localhost:8200\nvault.token=00000000-0000-0000-0000-000000000000\n")])])]),n("p",[n("strong",[e._v("Property keys")])]),e._v(" "),n("ul",[n("li",[n("p",[e._v("Vault URI: "),n("code",[e._v("vault.uri")])])]),e._v(" "),n("li",[n("p",[e._v("SSL Configuration")]),e._v(" "),n("ul",[n("li",[n("p",[e._v("Keystore resource: "),n("code",[e._v("vault.ssl.key-store")]),e._v(" (optional)")])]),e._v(" "),n("li",[n("p",[e._v("Keystore password: "),n("code",[e._v("vault.ssl.key-store-password")]),e._v(" (optional)")])]),e._v(" "),n("li",[n("p",[e._v("Keystore type: "),n("code",[e._v("vault.ssl.key-store-type")]),e._v(" (optional, typically "),n("code",[e._v("jks")]),e._v(", supports also "),n("code",[e._v("pem")]),e._v(")")])]),e._v(" "),n("li",[n("p",[e._v("Truststore resource: "),n("code",[e._v("vault.ssl.trust-store")]),e._v(" (optional)")])]),e._v(" "),n("li",[n("p",[e._v("Truststore password: "),n("code",[e._v("vault.ssl.trust-store-password")]),e._v(" (optional)")])]),e._v(" "),n("li",[n("p",[e._v("Truststore type: "),n("code",[e._v("vault.ssl.trust-store-type")]),e._v(" (optional, typically "),n("code",[e._v("jks")]),e._v(", supports also "),n("code",[e._v("pem")]),e._v(")")])])])]),e._v(" "),n("li",[n("p",[e._v("Authentication method: "),n("code",[e._v("vault.authentication")]),e._v(" (defaults to "),n("code",[e._v("TOKEN")]),e._v(", supported authentication methods are: "),n("code",[e._v("TOKEN")]),e._v(", "),n("code",[e._v("APPID")]),e._v(", "),n("code",[e._v("APPROLE")]),e._v(", "),n("code",[e._v("AWS_EC2")]),e._v(", "),n("code",[e._v("AZURE")]),e._v(", "),n("code",[e._v("CERT")]),e._v(", "),n("code",[e._v("CUBBYHOLE")]),e._v(", "),n("code",[e._v("KUBERNETES")]),e._v(")")])])]),e._v(" "),n("p",[n("strong",[e._v("Authentication-specific property keys")])]),e._v(" "),n("p",[n("strong",[n("a",{attrs:{href:"#vault.authentication.token"}},[e._v("Token authentication")])])]),e._v(" "),n("ul",[n("li",[e._v("Vault Token: "),n("code",[e._v("vault.token")])])]),e._v(" "),n("p",[n("strong",[n("a",{attrs:{href:"#vault.authentication.appid"}},[e._v("AppId authentication")])])]),e._v(" "),n("ul",[n("li",[n("p",[e._v("AppId path: "),n("code",[e._v("vault.app-id.app-id-path")]),e._v(" (defaults to "),n("code",[e._v("app-id")]),e._v(")")])]),e._v(" "),n("li",[n("p",[e._v("AppId: "),n("code",[e._v("vault.app-id.app-id")])])]),e._v(" "),n("li",[n("p",[e._v("UserId: "),n("code",[e._v("vault.app-id.user-id")]),e._v(". "),n("code",[e._v("MAC_ADDRESS")]),e._v(" and "),n("code",[e._v("IP_ADDRESS")]),e._v(" use "),n("code",[e._v("MacAddressUserId")]),e._v(", respective "),n("code",[e._v("IpAddressUserId")]),e._v(" user id mechanisms.\nAny other value is used with "),n("code",[e._v("StaticUserId")]),e._v(".")])])]),e._v(" "),n("p",[n("strong",[n("a",{attrs:{href:"#vault.authentication.approle"}},[e._v("AppRole authentication")])])]),e._v(" "),n("ul",[n("li",[n("p",[e._v("AppRole path: "),n("code",[e._v("vault.app-role.app-role-path")]),e._v(" (defaults to "),n("code",[e._v("approle")]),e._v(")")])]),e._v(" "),n("li",[n("p",[e._v("RoleId: "),n("code",[e._v("vault.app-role.role-id")])])]),e._v(" "),n("li",[n("p",[e._v("SecretId: "),n("code",[e._v("vault.app-role.secret-id")]),e._v(" (optional)")])])]),e._v(" "),n("p",[n("strong",[n("a",{attrs:{href:"#vault.authentication.awsec2"}},[e._v("AWS-EC2 authentication")])])]),e._v(" "),n("ul",[n("li",[n("p",[e._v("AWS EC2 path: "),n("code",[e._v("vault.aws-ec2.aws-ec2-path")]),e._v(" (defaults to "),n("code",[e._v("aws-ec2")]),e._v(")")])]),e._v(" "),n("li",[n("p",[e._v("Role: "),n("code",[e._v("vault.aws-ec2.role")])])]),e._v(" "),n("li",[n("p",[e._v("RoleId: "),n("code",[e._v("vault.aws-ec2.role-id")]),e._v(" ("),n("strong",[e._v("deprecated:")]),e._v(" use "),n("code",[e._v("vault.aws-ec2.role")]),e._v(" instead)")])]),e._v(" "),n("li",[n("p",[e._v("Identity Document URL: "),n("code",[e._v("vault.aws-ec2.identity-document")]),e._v(" (defaults to "),n("code",[e._v("[http://169.254.169.254/latest/dynamic/instance-identity/pkcs7](http://169.254.169.254/latest/dynamic/instance-identity/pkcs7)")]),e._v(")")])])]),e._v(" "),n("p",[n("strong",[n("a",{attrs:{href:"#vault.authentication.azuremsi"}},[e._v("Azure (MSI) authentication")])])]),e._v(" "),n("ul",[n("li",[n("p",[e._v("Azure MSI path: "),n("code",[e._v("vault.azure-msi.azure-path")]),e._v(" (defaults to "),n("code",[e._v("azure")]),e._v(")")])]),e._v(" "),n("li",[n("p",[e._v("Role: "),n("code",[e._v("vault.azure-msi.role")])])]),e._v(" "),n("li",[n("p",[e._v("Metadata Service URL: "),n("code",[e._v("vault.azure-msi.metadata-service")]),e._v(" (defaults to "),n("code",[e._v("[http://169.254.169.254/metadata/instance?api-version=2017-08-01](http://169.254.169.254/metadata/instance?api-version=2017-08-01)")]),e._v(")")])]),e._v(" "),n("li",[n("p",[e._v("Identity TokenService URL: "),n("code",[e._v("vault.azure-msi.identity-token-service")]),e._v(" (defaults to "),n("code",[e._v("[http://169.254.169.254/metadata/identity/oauth2/token?resource=https://vault.hashicorp.com&api-version=2018-02-01](http://169.254.169.254/metadata/identity/oauth2/token?resource=https://vault.hashicorp.com&api-version=2018-02-01)")]),e._v(")")])])]),e._v(" "),n("p",[n("strong",[n("a",{attrs:{href:"#vault.authentication.clientcert"}},[e._v("TLS certificate authentication")])])]),e._v(" "),n("p",[e._v("No configuration options.")]),e._v(" "),n("p",[n("strong",[n("a",{attrs:{href:"#vault.authentication.cubbyhole"}},[e._v("Cubbyhole authentication")])])]),e._v(" "),n("ul",[n("li",[e._v("Initial Vault Token: "),n("code",[e._v("vault.token")])])]),e._v(" "),n("p",[n("strong",[n("a",{attrs:{href:"#vault.authentication.kubernetes"}},[e._v("Kubernetes authentication")])])]),e._v(" "),n("ul",[n("li",[n("p",[e._v("Kubernetes path: "),n("code",[e._v("vault.kubernetes.kubernetes-path")]),e._v(" (defaults to "),n("code",[e._v("kubernetes")]),e._v(")")])]),e._v(" "),n("li",[n("p",[e._v("Role: "),n("code",[e._v("vault.kubernetes.role")])])]),e._v(" "),n("li",[n("p",[e._v("Path to service account token file: "),n("code",[e._v("vault.kubernetes.service-account-token-file")]),e._v(" (defaults to "),n("code",[e._v("/var/run/secrets/kubernetes.io/serviceaccount/token")]),e._v(")")])])]),e._v(" "),n("h3",{attrs:{id:"_9-4-execution-callbacks"}},[n("a",{staticClass:"header-anchor",attrs:{href:"#_9-4-execution-callbacks"}},[e._v("#")]),e._v(" 9.4. Execution callbacks")]),e._v(" "),n("p",[e._v("One common design feature of all Spring template classes is that all functionality is routed into one of the templates execute callback methods.\nThis helps ensure that exceptions and any resource management that maybe required are performed consistency.\nWhile this was of much greater need in the case of JDBC and JMS than with Vault, it still offers a single spot for access and logging to occur.\nAs such, using the execute callback is the preferred way to access the Vault API\nto perform uncommon operations that we’ve not exposed as methods on "),n("code",[e._v("VaultTemplate")]),e._v(".")]),e._v(" "),n("p",[e._v("Here is a list of execute callback methods.")]),e._v(" "),n("ul",[n("li",[n("p",[n("code",[e._v(" T")]),e._v(" "),n("strong",[e._v("doWithVault")]),e._v(" "),n("code",[e._v("(RestOperationsCallback callback)")]),e._v(" Executes the given"),n("code",[e._v("RestOperationsCallback")]),e._v(", allows to interact with Vault using "),n("code",[e._v("RestOperations")]),e._v(" without requiring a session.")])]),e._v(" "),n("li",[n("p",[n("code",[e._v(" T")]),e._v(" "),n("strong",[e._v("doWithSession")]),e._v(" "),n("code",[e._v("(RestOperationsCallback callback)")]),e._v(" Executes the given"),n("code",[e._v("RestOperationsCallback")]),e._v(", allows to interact with Vault in an authenticated session.")])])]),e._v(" "),n("p",[e._v("Here is an example that uses the "),n("code",[e._v("ClientCallback")]),e._v(" to initialize Vault:")]),e._v(" "),n("div",{staticClass:"language- extra-class"},[n("pre",{pre:!0,attrs:{class:"language-text"}},[n("code",[e._v('vaultOperations.doWithVault(new RestOperationsCallback() {\n\n @Override\n public VaultInitializationResponse doWithRestOperations(RestOperations restOperations) {\n\n ResponseEntity exchange = restOperations\n .exchange("/sys/init", HttpMethod.PUT,\n new HttpEntity