.password-property` sets the property name in which the Database password is stored Make sure to use unique property names to avoid property shadowing.
See also: [Vault Documentation: Database Secrets backend](https://www.vaultproject.io/docs/secrets/databases/index.html)
| |Spring Cloud Vault does not support getting new credentials and configuring your `DataSource` with them when the maximum lease time has been reached.
That is, if `max_ttl` of the Database role in Vault is set to `24h` that means that 24 hours after your application has started it can no longer authenticate with the database.|
|---|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
### 8.3. Apache Cassandra
| |The `cassandra` backend has been deprecated in Vault 0.7.1 and it is recommended to use the `database` backend and mount it as `cassandra`.|
|---|-------------------------------------------------------------------------------------------------------------------------------------------|
Spring Cloud Vault can obtain credentials for Apache Cassandra.
The integration can be enabled by setting`spring.cloud.vault.cassandra.enabled=true` (default `false`) and providing the role name with `spring.cloud.vault.cassandra.role=…`.
Username and password are available from `spring.data.cassandra.username`and `spring.data.cassandra.password` properties so using Spring Boot will pick up the generated credentials without further configuration.
You can configure the property names by setting`spring.cloud.vault.cassandra.username-property` and`spring.cloud.vault.cassandra.password-property`.
```
spring.cloud.vault:
cassandra:
enabled: true
role: readonly
backend: cassandra
username-property: spring.data.cassandra.username
password-property: spring.data.cassandra.password
```
* `enabled` setting this value to `true` enables the Cassandra backend config usage
* `role` sets the role name of the Cassandra role definition
* `backend` sets the path of the Cassandra mount to use
* `username-property` sets the property name in which the Cassandra username is stored
* `password-property` sets the property name in which the Cassandra password is stored
See also: [Vault Documentation: Setting up Apache Cassandra with Vault](https://www.vaultproject.io/docs/secrets/cassandra/index.html)
### 8.4. Couchbase Database
Spring Cloud Vault can obtain credentials for Couchbase.
The integration can be enabled by setting`spring.cloud.vault.couchbase.enabled=true` (default `false`) and providing the role name with `spring.cloud.vault.couchbase.role=…`.
Username and password are available from `spring.couchbase.username`and `spring.couchbase.password` properties so using Spring Boot will pick up the generated credentials without further configuration.
You can configure the property names by setting`spring.cloud.vault.couchbase.username-property` and`spring.cloud.vault.couchbase.password-property`.
```
spring.cloud.vault:
couchbase:
enabled: true
role: readonly
backend: database
username-property: spring.couchbase.username
password-property: spring.couchbase.password
```
* `enabled` setting this value to `true` enables the Couchbase backend config usage
* `role` sets the role name of the Couchbase role definition
* `backend` sets the path of the Couchbase mount to use
* `username-property` sets the property name in which the Couchbase username is stored
* `password-property` sets the property name in which the Couchbase password is stored
See also: [Couchbase Database Plugin Documentation](https://github.com/hashicorp/vault-plugin-database-couchbase)
### 8.5. Elasticsearch
Spring Cloud Vault can obtain since version 3.0 credentials for Elasticsearch.
The integration can be enabled by setting`spring.cloud.vault.elasticsearch.enabled=true` (default `false`) and providing the role name with `spring.cloud.vault.elasticsearch.role=…`.
Username and password are available from `spring.elasticsearch.rest.username`and `spring.elasticsearch.rest.password` properties so using Spring Boot will pick up the generated credentials without further configuration.
You can configure the property names by setting`spring.cloud.vault.elasticsearch.username-property` and`spring.cloud.vault.elasticsearch.password-property`.
```
spring.cloud.vault:
elasticsearch:
enabled: true
role: readonly
backend: mongodb
username-property: spring.elasticsearch.rest.username
password-property: spring.elasticsearch.rest.password
```
* `enabled` setting this value to `true` enables the Elasticsearch database backend config usage
* `role` sets the role name of the Elasticsearch role definition
* `backend` sets the path of the Elasticsearch mount to use
* `username-property` sets the property name in which the Elasticsearch username is stored
* `password-property` sets the property name in which the Elasticsearch password is stored
See also: [Vault Documentation: Setting up Elasticsearch with Vault](https://www.vaultproject.io/docs/secrets/databases/elasticdb)
### 8.6. MongoDB
| |The `mongodb` backend has been deprecated in Vault 0.7.1 and it is recommended to use the `database` backend and mount it as `mongodb`.|
|---|---------------------------------------------------------------------------------------------------------------------------------------|
Spring Cloud Vault can obtain credentials for MongoDB.
The integration can be enabled by setting`spring.cloud.vault.mongodb.enabled=true` (default `false`) and providing the role name with `spring.cloud.vault.mongodb.role=…`.
Username and password are stored in `spring.data.mongodb.username`and `spring.data.mongodb.password` so using Spring Boot will pick up the generated credentials without further configuration.
You can configure the property names by setting`spring.cloud.vault.mongodb.username-property` and`spring.cloud.vault.mongodb.password-property`.
```
spring.cloud.vault:
mongodb:
enabled: true
role: readonly
backend: mongodb
username-property: spring.data.mongodb.username
password-property: spring.data.mongodb.password
```
* `enabled` setting this value to `true` enables the MongodB backend config usage
* `role` sets the role name of the MongoDB role definition
* `backend` sets the path of the MongoDB mount to use
* `username-property` sets the property name in which the MongoDB username is stored
* `password-property` sets the property name in which the MongoDB password is stored
See also: [Vault Documentation: Setting up MongoDB with Vault](https://www.vaultproject.io/docs/secrets/mongodb/index.html)
### 8.7. MySQL
| |The `mysql` backend has been deprecated in Vault 0.7.1 and it is recommended to use the `database` backend and mount it as `mysql`.
Configuration for `spring.cloud.vault.mysql` will be removed in a future version.|
|---|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
Spring Cloud Vault can obtain credentials for MySQL.
The integration can be enabled by setting`spring.cloud.vault.mysql.enabled=true` (default `false`) and providing the role name with `spring.cloud.vault.mysql.role=…`.
Username and password are available from `spring.datasource.username`and `spring.datasource.password` properties so using Spring Boot will pick up the generated credentials without further configuration.
You can configure the property names by setting`spring.cloud.vault.mysql.username-property` and`spring.cloud.vault.mysql.password-property`.
```
spring.cloud.vault:
mysql:
enabled: true
role: readonly
backend: mysql
username-property: spring.datasource.username
password-property: spring.datasource.password
```
* `enabled` setting this value to `true` enables the MySQL backend config usage
* `role` sets the role name of the MySQL role definition
* `backend` sets the path of the MySQL mount to use
* `username-property` sets the property name in which the MySQL username is stored
* `password-property` sets the property name in which the MySQL password is stored
See also: [Vault Documentation: Setting up MySQL with Vault](https://www.vaultproject.io/docs/secrets/mysql/index.html)
### 8.8. PostgreSQL
| |The `postgresql` backend has been deprecated in Vault 0.7.1 and it is recommended to use the `database` backend and mount it as `postgresql`.
Configuration for `spring.cloud.vault.postgresql` will be removed in a future version.|
|---|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
Spring Cloud Vault can obtain credentials for PostgreSQL.
The integration can be enabled by setting`spring.cloud.vault.postgresql.enabled=true` (default `false`) and providing the role name with `spring.cloud.vault.postgresql.role=…`.
Username and password are available from `spring.datasource.username`and `spring.datasource.password` properties so using Spring Boot will pick up the generated credentials without further configuration.
You can configure the property names by setting`spring.cloud.vault.postgresql.username-property` and`spring.cloud.vault.postgresql.password-property`.
```
spring.cloud.vault:
postgresql:
enabled: true
role: readonly
backend: postgresql
username-property: spring.datasource.username
password-property: spring.datasource.password
```
* `enabled` setting this value to `true` enables the PostgreSQL backend config usage
* `role` sets the role name of the PostgreSQL role definition
* `backend` sets the path of the PostgreSQL mount to use
* `username-property` sets the property name in which the PostgreSQL username is stored
* `password-property` sets the property name in which the PostgreSQL password is stored
See also: [Vault Documentation: Setting up PostgreSQL with Vault](https://www.vaultproject.io/docs/secrets/postgresql/index.html)
## 9. Customize which secret backends to expose as PropertySource
Spring Cloud Vault uses property-based configuration to create `PropertySource`s for key-value and discovered secret backends.
Discovered backends provide `VaultSecretBackendDescriptor` beans to describe the configuration state to use secret backend as `PropertySource`.
A `SecretBackendMetadataFactory` is required to create a `SecretBackendMetadata` object which contains path, name and property transformation configuration.
`SecretBackendMetadata` is used to back a particular `PropertySource`.
You can register a `VaultConfigurer` for customization.
Default key-value and discovered backend registration is disabled if you provide a `VaultConfigurer`.
You can however enable default registration with`SecretBackendConfigurer.registerDefaultKeyValueSecretBackends()` and `SecretBackendConfigurer.registerDefaultDiscoveredSecretBackends()`.
```
public class CustomizationBean implements VaultConfigurer {
@Override
public void addSecretBackends(SecretBackendConfigurer configurer) {
configurer.add("secret/my-application");
configurer.registerDefaultKeyValueSecretBackends(false);
configurer.registerDefaultDiscoveredSecretBackends(true);
}
}
```
```
SpringApplication application = new SpringApplication(MyApplication.class);
application.addBootstrapper(VaultBootstrapper.fromConfigurer(new CustomizationBean()));
```
## 10. Custom Secret Backend Implementations
Spring Cloud Vault ships with secret backend support for the most common backend integrations.
You can integrate with any kind of backend by providing an implementation that describes how to obtain data from the backend you want to use and how to surface data provided by that backend by providing a `PropertyTransformer`.
Adding a custom implementation for a backend requires implementation of two interfaces:
* `org.springframework.cloud.vault.config.VaultSecretBackendDescriptor`
* `org.springframework.cloud.vault.config.SecretBackendMetadataFactory`
`VaultSecretBackendDescriptor` is typically an object that holds configuration data, such as `VaultDatabaseProperties`. Spring Cloud Vault requires that your type is annotated with `@ConfigurationProperties` to materialize the class from the configuration.
`SecretBackendMetadataFactory` accepts `VaultSecretBackendDescriptor` to create the actual `SecretBackendMetadata` object which holds the context path within your Vault server, any path variables required to resolve parametrized context paths and `PropertyTransformer`.
Both, `VaultSecretBackendDescriptor` and `SecretBackendMetadataFactory` types must be registered in `spring.factories` which is an extension mechanism provided by Spring, similar to Java’s ServiceLoader.
## 11. Service Registry Configuration
You can use a `DiscoveryClient` (such as from Spring Cloud Consul) to locate a Vault server by setting spring.cloud.vault.discovery.enabled=true (default `false`).
The net result of that is that your apps need a application.yml (or an environment variable) with the appropriate discovery configuration.
The benefit is that the Vault can change its co-ordinates, as long as the discovery service is a fixed point.
The default service id is `vault` but you can change that on the client with`spring.cloud.vault.discovery.serviceId`.
The discovery client implementations all support some kind of metadata map (e.g. for Eureka we have eureka.instance.metadataMap).
Some additional properties of the service may need to be configured in its service registration metadata so that clients can connect correctly.
Service registries that do not provide details about transport layer security need to provide a `scheme` metadata entry to be set either to `https` or `http`.
If no scheme is configured and the service is not exposed as secure service, then configuration defaults to `spring.cloud.vault.scheme` which is `https` when it’s not set.
```
spring.cloud.vault.discovery:
enabled: true
service-id: my-vault-service
```
## 12. Vault Client Fail Fast
In some cases, it may be desirable to fail startup of a service if it cannot connect to the Vault Server.
If this is the desired behavior, set the bootstrap configuration property`spring.cloud.vault.fail-fast=true` and the client will halt with an Exception.
```
spring.cloud.vault:
fail-fast: true
```
## 13. Vault Enterprise Namespace Support
Vault Enterprise allows using namespaces to isolate multiple Vaults on a single Vault server.
Configuring a namespace by setting`spring.cloud.vault.namespace=…` enables the namespace header`X-Vault-Namespace` on every outgoing HTTP request when using the Vault`RestTemplate` or `WebClient`.
Please note that this feature is not supported by Vault Community edition and has no effect on Vault operations.
```
spring.cloud.vault:
namespace: my-namespace
```
See also: [Vault Enterprise: Namespaces](https://www.vaultproject.io/docs/enterprise/namespaces/index.html)
## 14. Vault Client SSL configuration
SSL can be configured declaratively by setting various properties.
You can set either `javax.net.ssl.trustStore` to configure JVM-wide SSL settings or `spring.cloud.vault.ssl.trust-store`to set SSL settings only for Spring Cloud Vault Config.
```
spring.cloud.vault:
ssl:
trust-store: classpath:keystore.jks
trust-store-password: changeit
trust-store-type: JKS
enabled-protocols: TLSv1.2,TLSv1.3
enabled-cipher-suites: TLS_AES_128_GCM_SHA256
```
* `trust-store` sets the resource for the trust-store.
SSL-secured Vault communication will validate the Vault SSL certificate with the specified trust-store.
* `trust-store-password` sets the trust-store password
* `trust-store-type` sets the trust-store type. Supported values are all supported `KeyStore` types including `PEM`.
* `enabled-protocols` sets the list of enabled SSL/TLS protocols (since 3.0.2).
* `enabled-cipher-suites` sets the list of enabled SSL/TLS cipher suites (since 3.0.2).
Please note that configuring `spring.cloud.vault.ssl.*` can be only applied when either Apache Http Components or the OkHttp client is on your class-path.
## 15. Lease lifecycle management (renewal and revocation)
With every secret, Vault creates a lease:
metadata containing information such as a time duration, renewability, and more.
Vault promises that the data will be valid for the given duration, or Time To Live (TTL).
Once the lease is expired, Vault can revoke the data, and the consumer of the secret can no longer be certain that it is valid.
Spring Cloud Vault maintains a lease lifecycle beyond the creation of login tokens and secrets.
That said, login tokens and secrets associated with a lease are scheduled for renewal just before the lease expires until terminal expiry.
Application shutdown revokes obtained login tokens and renewable leases.
Secret service and database backends (such as MongoDB or MySQL) usually generate a renewable lease so generated credentials will be disabled on application shutdown.
| |Static tokens are not renewed or revoked.|
|---|-----------------------------------------|
Lease renewal and revocation is enabled by default and can be disabled by setting `spring.cloud.vault.config.lifecycle.enabled`to `false`.
This is not recommended as leases can expire and Spring Cloud Vault cannot longer access Vault or services using generated credentials and valid credentials remain active after application shutdown.
```
spring.cloud.vault:
config.lifecycle:
enabled: true
min-renewal: 10s
expiry-threshold: 1m
lease-endpoints: Legacy
```
* `enabled` controls whether leases associated with secrets are considered to be renewed and expired secrets are rotated.
Enabled by default.
* `min-renewal` sets the duration that is at least required before renewing a lease.
This setting prevents renewals from happening too often.
* `expiry-threshold` sets the expiry threshold.
A lease is renewed the configured period of time before it expires.
* `lease-endpoints` sets the endpoints for renew and revoke.
Legacy for vault versions before 0.8 and SysLeases for later.
See also: [Vault Documentation: Lease, Renew, and Revoke](https://www.vaultproject.io/docs/concepts/lease.html)
## 16. Session token lifecycle management (renewal, re-login and revocation)
A Vault session token (also referred to as `LoginToken`) is quite similar to a lease as it has a TTL, max TTL, and may expire.
Once a login token expires, it cannot be used anymore to interact with Vault.
Therefore, Spring Vault ships with a `SessionManager` API for imperative and reactive use.
Spring Cloud Vault maintains the session token lifecycle by default.
Session tokens are obtained lazily so the actual login is deferred until the first session-bound use of Vault.
Once Spring Cloud Vault obtains a session token, it retains it until expiry.
The next time a session-bound activity is used, Spring Cloud Vault re-logins into Vault and obtains a new session token.
On application shut down, Spring Cloud Vault revokes the token if it was still active to terminate the session.
Session lifecycle is enabled by default and can be disabled by setting `spring.cloud.vault.session.lifecycle.enabled`to `false`.
Disabling is not recommended as session tokens can expire and Spring Cloud Vault cannot longer access Vault.
```
spring.cloud.vault:
session.lifecycle:
enabled: true
refresh-before-expiry: 10s
expiry-threshold: 20s
```
* `enabled` controls whether session lifecycle management is enabled to renew session tokens.
Enabled by default.
* `refresh-before-expiry` controls the point in time when the session token gets renewed.
The refresh time is calculated by subtracting `refresh-before-expiry` from the token expiry time.
Defaults to `5 seconds`.
* `expiry-threshold` sets the expiry threshold.
The threshold represents a minimum TTL duration to consider a session token as valid.
Tokens with a shorter TTL are considered expired and are not used anymore.
Should be greater than `refresh-before-expiry` to prevent token expiry.
Defaults to `7 seconds`.
See also: [Vault Documentation: Token Renewal](https://www.vaultproject.io/api-docs/auth/token#renew-a-token-self)
## Appendix A: Common application properties
Various properties can be specified inside your `application.properties` file, inside your `application.yml` file, or as command line switches.
This appendix provides a list of common Spring Cloud Vault properties and references to the underlying classes that consume them.
| |Property contributions can come from additional jar files on your classpath, so you should not consider this an exhaustive list.
Also, you can define your own properties.|
|---|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Name | Default | Description |
|----------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| spring.cloud.vault.app-id.app-id-path | `app-id` | Mount path of the AppId authentication backend. |
| spring.cloud.vault.app-id.network-interface | | Network interface hint for the "MAC\_ADDRESS" UserId mechanism. |
| spring.cloud.vault.app-id.user-id | `MAC_ADDRESS` | UserId mechanism. Can be either "MAC\_ADDRESS", "IP\_ADDRESS", a string or a class name. |
| spring.cloud.vault.app-role.app-role-path | `approle` | Mount path of the AppRole authentication backend. |
| spring.cloud.vault.app-role.role | | Name of the role, optional, used for pull-mode. |
| spring.cloud.vault.app-role.role-id | | The RoleId. |
| spring.cloud.vault.app-role.secret-id | | The SecretId. |
| spring.cloud.vault.application-name | `application` | Application name for AppId authentication. |
| spring.cloud.vault.authentication | | |
| spring.cloud.vault.aws-ec2.aws-ec2-path | `aws-ec2` | Mount path of the AWS-EC2 authentication backend. |
| spring.cloud.vault.aws-ec2.identity-document |`[169.254.169.254/latest/dynamic/instance-identity/pkcs7](http://169.254.169.254/latest/dynamic/instance-identity/pkcs7)`| URL of the AWS-EC2 PKCS7 identity document. |
| spring.cloud.vault.aws-ec2.nonce | | Nonce used for AWS-EC2 authentication. An empty nonce defaults to nonce generation. |
| spring.cloud.vault.aws-ec2.role | | Name of the role, optional. |
| spring.cloud.vault.aws-iam.aws-path | `aws` | Mount path of the AWS authentication backend. |
| spring.cloud.vault.aws-iam.endpoint-uri | | STS server URI. @since 2.2 |
| spring.cloud.vault.aws-iam.role | | Name of the role, optional. Defaults to the friendly IAM name if not set. |
| spring.cloud.vault.aws-iam.server-name | | Name of the server used to set {@code X-Vault-AWS-IAM-Server-ID} header in the headers of login requests. |
| spring.cloud.vault.aws.access-key-property | `cloud.aws.credentials.accessKey` | Target property for the obtained access key. |
| spring.cloud.vault.aws.backend | `aws` | aws backend path. |
| spring.cloud.vault.aws.credential-type | | aws credential type |
| spring.cloud.vault.aws.enabled | `false` | Enable aws backend usage. |
| spring.cloud.vault.aws.role | | Role name for credentials. |
| spring.cloud.vault.aws.role-arn | | Role arn for assumed\_role in case we have multiple roles associated with the vault role. @since 3.0.2 |
| spring.cloud.vault.aws.secret-key-property | `cloud.aws.credentials.secretKey` | Target property for the obtained secret key. |
| spring.cloud.vault.aws.session-token-key-property | `cloud.aws.credentials.sessionToken` | Target property for the obtained secret key. |
| spring.cloud.vault.aws.ttl | `0` | TTL for sts tokens. Defaults to whatever the vault Role may have for Max. Also limited to what AWS supports to be the max for STS. @since 3.0.2 |
| spring.cloud.vault.azure-msi.azure-path | `azure` | Mount path of the Azure MSI authentication backend. |
| spring.cloud.vault.azure-msi.identity-token-service | | Identity token service URI. @since 3.0 |
| spring.cloud.vault.azure-msi.metadata-service | | Instance metadata service URI. @since 3.0 |
| spring.cloud.vault.azure-msi.role | | Name of the role. |
| spring.cloud.vault.cassandra.backend | `cassandra` | Cassandra backend path. |
| spring.cloud.vault.cassandra.enabled | `false` | Enable cassandra backend usage. |
| spring.cloud.vault.cassandra.password-property | `spring.data.cassandra.password` | Target property for the obtained password. |
| spring.cloud.vault.cassandra.role | | Role name for credentials. |
| spring.cloud.vault.cassandra.static-role | `false` | Enable static role usage. @since 2.2 |
| spring.cloud.vault.cassandra.username-property | `spring.data.cassandra.username` | Target property for the obtained username. |
| spring.cloud.vault.config.lifecycle.enabled | `true` | Enable lifecycle management. |
| spring.cloud.vault.config.lifecycle.expiry-threshold | | The expiry threshold. {@link Lease} is renewed the given {@link Duration} before it expires. @since 2.2 |
| spring.cloud.vault.config.lifecycle.lease-endpoints | |Set the {@link LeaseEndpoints} to delegate renewal/revocation calls to. {@link LeaseEndpoints} encapsulates differences between Vault versions that affect the location of renewal/revocation endpoints. Can be {@link LeaseEndpoints#SysLeases} for version 0.8 or above of Vault or {@link LeaseEndpoints#Legacy} for older versions (the default). @since 2.2|
| spring.cloud.vault.config.lifecycle.min-renewal | | The time period that is at least required before renewing a lease. @since 2.2 |
| spring.cloud.vault.config.order | `0` | Used to set a {@link org.springframework.core.env.PropertySource} priority. This is useful to use Vault as an override on other property sources. @see org.springframework.core.PriorityOrdered |
| spring.cloud.vault.connection-timeout | `5000` | Connection timeout. |
| spring.cloud.vault.consul.backend | `consul` | Consul backend path. |
| spring.cloud.vault.consul.enabled | `false` | Enable consul backend usage. |
| spring.cloud.vault.consul.role | | Role name for credentials. |
| spring.cloud.vault.consul.token-property | `spring.cloud.consul.token` | Target property for the obtained token. |
| spring.cloud.vault.couchbase.backend | `database` | Couchbase backend path. |
| spring.cloud.vault.couchbase.enabled | `false` | Enable couchbase backend usage. |
| spring.cloud.vault.couchbase.password-property | `spring.couchbase.password` | Target property for the obtained password. |
| spring.cloud.vault.couchbase.role | | Role name for credentials. |
| spring.cloud.vault.couchbase.static-role | `false` | Enable static role usage. |
| spring.cloud.vault.couchbase.username-property | `spring.couchbase.username` | Target property for the obtained username. |
| spring.cloud.vault.database.backend | `database` | Database backend path. |
| spring.cloud.vault.database.enabled | `false` | Enable database backend usage. |
| spring.cloud.vault.database.password-property | `spring.datasource.password` | Target property for the obtained password. |
| spring.cloud.vault.database.role | | Role name for credentials. |
| spring.cloud.vault.database.static-role | `false` | Enable static role usage. |
| spring.cloud.vault.database.username-property | `spring.datasource.username` | Target property for the obtained username. |
| spring.cloud.vault.databases | | |
| spring.cloud.vault.discovery.enabled | `false` | Flag to indicate that Vault server discovery is enabled (vault server URL will be looked up via discovery). |
| spring.cloud.vault.discovery.service-id | `vault` | Service id to locate Vault. |
| spring.cloud.vault.elasticsearch.backend | `database` | Database backend path. |
| spring.cloud.vault.elasticsearch.enabled | `false` | Enable elasticsearch backend usage. |
| spring.cloud.vault.elasticsearch.password-property | `spring.elasticsearch.rest.password` | Target property for the obtained password. |
| spring.cloud.vault.elasticsearch.role | | Role name for credentials. |
| spring.cloud.vault.elasticsearch.static-role | `false` | Enable static role usage. |
| spring.cloud.vault.elasticsearch.username-property | `spring.elasticsearch.rest.username` | Target property for the obtained username. |
| spring.cloud.vault.enabled | `true` | Enable Vault config server. |
| spring.cloud.vault.fail-fast | `false` | Fail fast if data cannot be obtained from Vault. |
| spring.cloud.vault.gcp-gce.gcp-path | `gcp` | Mount path of the Kubernetes authentication backend. |
| spring.cloud.vault.gcp-gce.role | | Name of the role against which the login is being attempted. |
| spring.cloud.vault.gcp-gce.service-account | | Optional service account id. Using the default id if left unconfigured. |
| spring.cloud.vault.gcp-iam.credentials.encoded-key | | The base64 encoded contents of an OAuth2 account private key in JSON format. |
| spring.cloud.vault.gcp-iam.credentials.location | | Location of the OAuth2 credentials private key. \ Since this is a Resource, the private key can be in a multitude of locations, such as a local file system, classpath, URL, etc. |
| spring.cloud.vault.gcp-iam.gcp-path | `gcp` | Mount path of the Kubernetes authentication backend. |
| spring.cloud.vault.gcp-iam.jwt-validity | `15m` | Validity of the JWT token. |
| spring.cloud.vault.gcp-iam.project-id | | Overrides the GCP project Id. |
| spring.cloud.vault.gcp-iam.role | | Name of the role against which the login is being attempted. |
| spring.cloud.vault.gcp-iam.service-account-id | | Overrides the GCP service account Id. |
| spring.cloud.vault.host | `localhost` | Vault server host. |
| spring.cloud.vault.kubernetes.kubernetes-path | `kubernetes` | Mount path of the Kubernetes authentication backend. |
| spring.cloud.vault.kubernetes.role | | Name of the role against which the login is being attempted. |
| spring.cloud.vault.kubernetes.service-account-token-file | `/var/run/secrets/kubernetes.io/serviceaccount/token` | Path to the service account token file. |
| spring.cloud.vault.kv.application-name | `application` | Application name to be used for the context. |
| spring.cloud.vault.kv.backend | `secret` | Name of the default backend. |
| spring.cloud.vault.kv.backend-version | `2` | Key-Value backend version. Currently supported versions are: \
\- Version 1 (unversioned key-value backend).\
\- Version 2 (versioned key-value backend).\
\
|
| spring.cloud.vault.kv.default-context | `application` | Name of the default context. |
| spring.cloud.vault.kv.enabled | `true` | Enable the kev-value backend. |
| spring.cloud.vault.kv.profile-separator | `/` | Profile-separator to combine application name and profile. |
| spring.cloud.vault.kv.profiles | | List of active profiles. @since 3.0 |
| spring.cloud.vault.mongodb.backend | `mongodb` | MongoDB backend path. |
| spring.cloud.vault.mongodb.enabled | `false` | Enable mongodb backend usage. |
| spring.cloud.vault.mongodb.password-property | `spring.data.mongodb.password` | Target property for the obtained password. |
| spring.cloud.vault.mongodb.role | | Role name for credentials. |
| spring.cloud.vault.mongodb.static-role | `false` | Enable static role usage. @since 2.2 |
| spring.cloud.vault.mongodb.username-property | `spring.data.mongodb.username` | Target property for the obtained username. |
| spring.cloud.vault.mysql.backend | `mysql` | mysql backend path. |
| spring.cloud.vault.mysql.enabled | `false` | Enable mysql backend usage. |
| spring.cloud.vault.mysql.password-property | `spring.datasource.password` | Target property for the obtained username. |
| spring.cloud.vault.mysql.role | | Role name for credentials. |
| spring.cloud.vault.mysql.username-property | `spring.datasource.username` | Target property for the obtained username. |
| spring.cloud.vault.namespace | | Vault namespace (requires Vault Enterprise). |
| spring.cloud.vault.pcf.instance-certificate | | Path to the instance certificate (PEM). Defaults to {@code CF\_INSTANCE\_CERT} env variable. |
| spring.cloud.vault.pcf.instance-key | | Path to the instance key (PEM). Defaults to {@code CF\_INSTANCE\_KEY} env variable. |
| spring.cloud.vault.pcf.pcf-path | `pcf` | Mount path of the Kubernetes authentication backend. |
| spring.cloud.vault.pcf.role | | Name of the role against which the login is being attempted. |
| spring.cloud.vault.port | `8200` | Vault server port. |
| spring.cloud.vault.postgresql.backend | `postgresql` | postgresql backend path. |
| spring.cloud.vault.postgresql.enabled | `false` | Enable postgresql backend usage. |
| spring.cloud.vault.postgresql.password-property | `spring.datasource.password` | Target property for the obtained username. |
| spring.cloud.vault.postgresql.role | | Role name for credentials. |
| spring.cloud.vault.postgresql.username-property | `spring.datasource.username` | Target property for the obtained username. |
| spring.cloud.vault.rabbitmq.backend | `rabbitmq` | rabbitmq backend path. |
| spring.cloud.vault.rabbitmq.enabled | `false` | Enable rabbitmq backend usage. |
| spring.cloud.vault.rabbitmq.password-property | `spring.rabbitmq.password` | Target property for the obtained password. |
| spring.cloud.vault.rabbitmq.role | | Role name for credentials. |
| spring.cloud.vault.rabbitmq.username-property | `spring.rabbitmq.username` | Target property for the obtained username. |
| spring.cloud.vault.reactive.enabled | `true` | Flag to indicate that reactive discovery is enabled |
| spring.cloud.vault.read-timeout | `15000` | Read timeout. |
| spring.cloud.vault.scheme | `https` | Protocol scheme. Can be either "http" or "https". |
| spring.cloud.vault.session.lifecycle.enabled | `true` | Enable session lifecycle management. |
| spring.cloud.vault.session.lifecycle.expiry-threshold | `7s` | The expiry threshold for a {@link LoginToken}. The threshold represents a minimum TTL duration to consider a login token as valid. Tokens with a shorter TTL are considered expired and are not used anymore. Should be greater than {@code refreshBeforeExpiry} to prevent token expiry. |
|spring.cloud.vault.session.lifecycle.refresh-before-expiry| `5s` | The time period that is at least required before renewing the {@link LoginToken}. |
| spring.cloud.vault.ssl.cert-auth-path | `cert` | Mount path of the TLS cert authentication backend. |
| spring.cloud.vault.ssl.enabled-cipher-suites | | List of enabled SSL/TLS cipher suites. @since 3.0.2 |
| spring.cloud.vault.ssl.enabled-protocols | | List of enabled SSL/TLS protocol. @since 3.0.2 |
| spring.cloud.vault.ssl.key-store | | Trust store that holds certificates and private keys. |
| spring.cloud.vault.ssl.key-store-password | | Password used to access the key store. |
| spring.cloud.vault.ssl.key-store-type | | Type of the key store. @since 3.0 |
| spring.cloud.vault.ssl.trust-store | | Trust store that holds SSL certificates. |
| spring.cloud.vault.ssl.trust-store-password | | Password used to access the trust store. |
| spring.cloud.vault.ssl.trust-store-type | | Type of the trust store. @since 3.0 |
| spring.cloud.vault.token | | Static vault token. Required if {@link #authentication} is {@code TOKEN}. |
| spring.cloud.vault.uri | | Vault URI. Can be set with scheme, host and port. |