.password-property")]),e._v(" sets the property name in which the Database password is stored Make sure to use unique property names to avoid property shadowing.")])])]),e._v(" "),a("p",[e._v("See also: "),a("a",{attrs:{href:"https://www.vaultproject.io/docs/secrets/databases/index.html",target:"_blank",rel:"noopener noreferrer"}},[e._v("Vault Documentation: Database Secrets backend"),a("OutboundLink")],1)]),e._v(" "),a("table",[a("thead",[a("tr",[a("th"),e._v(" "),a("th",[e._v("Spring Cloud Vault does not support getting new credentials and configuring your "),a("code",[e._v("DataSource")]),e._v(" with them when the maximum lease time has been reached."),a("br"),e._v("That is, if "),a("code",[e._v("max_ttl")]),e._v(" of the Database role in Vault is set to "),a("code",[e._v("24h")]),e._v(" that means that 24 hours after your application has started it can no longer authenticate with the database.")])])]),e._v(" "),a("tbody")]),e._v(" "),a("h3",{attrs:{id:"_8-3-apache-cassandra"}},[a("a",{staticClass:"header-anchor",attrs:{href:"#_8-3-apache-cassandra"}},[e._v("#")]),e._v(" 8.3. Apache Cassandra")]),e._v(" "),a("table",[a("thead",[a("tr",[a("th"),e._v(" "),a("th",[e._v("The "),a("code",[e._v("cassandra")]),e._v(" backend has been deprecated in Vault 0.7.1 and it is recommended to use the "),a("code",[e._v("database")]),e._v(" backend and mount it as "),a("code",[e._v("cassandra")]),e._v(".")])])]),e._v(" "),a("tbody")]),e._v(" "),a("p",[e._v("Spring Cloud Vault can obtain credentials for Apache Cassandra.\nThe integration can be enabled by setting"),a("code",[e._v("spring.cloud.vault.cassandra.enabled=true")]),e._v(" (default "),a("code",[e._v("false")]),e._v(") and providing the role name with "),a("code",[e._v("spring.cloud.vault.cassandra.role=…")]),e._v(".")]),e._v(" "),a("p",[e._v("Username and password are available from "),a("code",[e._v("spring.data.cassandra.username")]),e._v("and "),a("code",[e._v("spring.data.cassandra.password")]),e._v(" properties so using Spring Boot will pick up the generated credentials without further configuration.\nYou can configure the property names by setting"),a("code",[e._v("spring.cloud.vault.cassandra.username-property")]),e._v(" and"),a("code",[e._v("spring.cloud.vault.cassandra.password-property")]),e._v(".")]),e._v(" "),a("div",{staticClass:"language- extra-class"},[a("pre",{pre:!0,attrs:{class:"language-text"}},[a("code",[e._v("spring.cloud.vault:\n cassandra:\n enabled: true\n role: readonly\n backend: cassandra\n username-property: spring.data.cassandra.username\n password-property: spring.data.cassandra.password\n")])])]),a("ul",[a("li",[a("p",[a("code",[e._v("enabled")]),e._v(" setting this value to "),a("code",[e._v("true")]),e._v(" enables the Cassandra backend config usage")])]),e._v(" "),a("li",[a("p",[a("code",[e._v("role")]),e._v(" sets the role name of the Cassandra role definition")])]),e._v(" "),a("li",[a("p",[a("code",[e._v("backend")]),e._v(" sets the path of the Cassandra mount to use")])]),e._v(" "),a("li",[a("p",[a("code",[e._v("username-property")]),e._v(" sets the property name in which the Cassandra username is stored")])]),e._v(" "),a("li",[a("p",[a("code",[e._v("password-property")]),e._v(" sets the property name in which the Cassandra password is stored")])])]),e._v(" "),a("p",[e._v("See also: "),a("a",{attrs:{href:"https://www.vaultproject.io/docs/secrets/cassandra/index.html",target:"_blank",rel:"noopener noreferrer"}},[e._v("Vault Documentation: Setting up Apache Cassandra with Vault"),a("OutboundLink")],1)]),e._v(" "),a("h3",{attrs:{id:"_8-4-couchbase-database"}},[a("a",{staticClass:"header-anchor",attrs:{href:"#_8-4-couchbase-database"}},[e._v("#")]),e._v(" 8.4. Couchbase Database")]),e._v(" "),a("p",[e._v("Spring Cloud Vault can obtain credentials for Couchbase.\nThe integration can be enabled by setting"),a("code",[e._v("spring.cloud.vault.couchbase.enabled=true")]),e._v(" (default "),a("code",[e._v("false")]),e._v(") and providing the role name with "),a("code",[e._v("spring.cloud.vault.couchbase.role=…")]),e._v(".")]),e._v(" "),a("p",[e._v("Username and password are available from "),a("code",[e._v("spring.couchbase.username")]),e._v("and "),a("code",[e._v("spring.couchbase.password")]),e._v(" properties so using Spring Boot will pick up the generated credentials without further configuration.\nYou can configure the property names by setting"),a("code",[e._v("spring.cloud.vault.couchbase.username-property")]),e._v(" and"),a("code",[e._v("spring.cloud.vault.couchbase.password-property")]),e._v(".")]),e._v(" "),a("div",{staticClass:"language- extra-class"},[a("pre",{pre:!0,attrs:{class:"language-text"}},[a("code",[e._v("spring.cloud.vault:\n couchbase:\n enabled: true\n role: readonly\n backend: database\n username-property: spring.couchbase.username\n password-property: spring.couchbase.password\n")])])]),a("ul",[a("li",[a("p",[a("code",[e._v("enabled")]),e._v(" setting this value to "),a("code",[e._v("true")]),e._v(" enables the Couchbase backend config usage")])]),e._v(" "),a("li",[a("p",[a("code",[e._v("role")]),e._v(" sets the role name of the Couchbase role definition")])]),e._v(" "),a("li",[a("p",[a("code",[e._v("backend")]),e._v(" sets the path of the Couchbase mount to use")])]),e._v(" "),a("li",[a("p",[a("code",[e._v("username-property")]),e._v(" sets the property name in which the Couchbase username is stored")])]),e._v(" "),a("li",[a("p",[a("code",[e._v("password-property")]),e._v(" sets the property name in which the Couchbase password is stored")])])]),e._v(" "),a("p",[e._v("See also: "),a("a",{attrs:{href:"https://github.com/hashicorp/vault-plugin-database-couchbase",target:"_blank",rel:"noopener noreferrer"}},[e._v("Couchbase Database Plugin Documentation"),a("OutboundLink")],1)]),e._v(" "),a("h3",{attrs:{id:"_8-5-elasticsearch"}},[a("a",{staticClass:"header-anchor",attrs:{href:"#_8-5-elasticsearch"}},[e._v("#")]),e._v(" 8.5. Elasticsearch")]),e._v(" "),a("p",[e._v("Spring Cloud Vault can obtain since version 3.0 credentials for Elasticsearch.\nThe integration can be enabled by setting"),a("code",[e._v("spring.cloud.vault.elasticsearch.enabled=true")]),e._v(" (default "),a("code",[e._v("false")]),e._v(") and providing the role name with "),a("code",[e._v("spring.cloud.vault.elasticsearch.role=…")]),e._v(".")]),e._v(" "),a("p",[e._v("Username and password are available from "),a("code",[e._v("spring.elasticsearch.rest.username")]),e._v("and "),a("code",[e._v("spring.elasticsearch.rest.password")]),e._v(" properties so using Spring Boot will pick up the generated credentials without further configuration.\nYou can configure the property names by setting"),a("code",[e._v("spring.cloud.vault.elasticsearch.username-property")]),e._v(" and"),a("code",[e._v("spring.cloud.vault.elasticsearch.password-property")]),e._v(".")]),e._v(" "),a("div",{staticClass:"language- extra-class"},[a("pre",{pre:!0,attrs:{class:"language-text"}},[a("code",[e._v("spring.cloud.vault:\n elasticsearch:\n enabled: true\n role: readonly\n backend: mongodb\n username-property: spring.elasticsearch.rest.username\n password-property: spring.elasticsearch.rest.password\n")])])]),a("ul",[a("li",[a("p",[a("code",[e._v("enabled")]),e._v(" setting this value to "),a("code",[e._v("true")]),e._v(" enables the Elasticsearch database backend config usage")])]),e._v(" "),a("li",[a("p",[a("code",[e._v("role")]),e._v(" sets the role name of the Elasticsearch role definition")])]),e._v(" "),a("li",[a("p",[a("code",[e._v("backend")]),e._v(" sets the path of the Elasticsearch mount to use")])]),e._v(" "),a("li",[a("p",[a("code",[e._v("username-property")]),e._v(" sets the property name in which the Elasticsearch username is stored")])]),e._v(" "),a("li",[a("p",[a("code",[e._v("password-property")]),e._v(" sets the property name in which the Elasticsearch password is stored")])])]),e._v(" "),a("p",[e._v("See also: "),a("a",{attrs:{href:"https://www.vaultproject.io/docs/secrets/databases/elasticdb",target:"_blank",rel:"noopener noreferrer"}},[e._v("Vault Documentation: Setting up Elasticsearch with Vault"),a("OutboundLink")],1)]),e._v(" "),a("h3",{attrs:{id:"_8-6-mongodb"}},[a("a",{staticClass:"header-anchor",attrs:{href:"#_8-6-mongodb"}},[e._v("#")]),e._v(" 8.6. MongoDB")]),e._v(" "),a("table",[a("thead",[a("tr",[a("th"),e._v(" "),a("th",[e._v("The "),a("code",[e._v("mongodb")]),e._v(" backend has been deprecated in Vault 0.7.1 and it is recommended to use the "),a("code",[e._v("database")]),e._v(" backend and mount it as "),a("code",[e._v("mongodb")]),e._v(".")])])]),e._v(" "),a("tbody")]),e._v(" "),a("p",[e._v("Spring Cloud Vault can obtain credentials for MongoDB.\nThe integration can be enabled by setting"),a("code",[e._v("spring.cloud.vault.mongodb.enabled=true")]),e._v(" (default "),a("code",[e._v("false")]),e._v(") and providing the role name with "),a("code",[e._v("spring.cloud.vault.mongodb.role=…")]),e._v(".")]),e._v(" "),a("p",[e._v("Username and password are stored in "),a("code",[e._v("spring.data.mongodb.username")]),e._v("and "),a("code",[e._v("spring.data.mongodb.password")]),e._v(" so using Spring Boot will pick up the generated credentials without further configuration.\nYou can configure the property names by setting"),a("code",[e._v("spring.cloud.vault.mongodb.username-property")]),e._v(" and"),a("code",[e._v("spring.cloud.vault.mongodb.password-property")]),e._v(".")]),e._v(" "),a("div",{staticClass:"language- extra-class"},[a("pre",{pre:!0,attrs:{class:"language-text"}},[a("code",[e._v("spring.cloud.vault:\n mongodb:\n enabled: true\n role: readonly\n backend: mongodb\n username-property: spring.data.mongodb.username\n password-property: spring.data.mongodb.password\n")])])]),a("ul",[a("li",[a("p",[a("code",[e._v("enabled")]),e._v(" setting this value to "),a("code",[e._v("true")]),e._v(" enables the MongodB backend config usage")])]),e._v(" "),a("li",[a("p",[a("code",[e._v("role")]),e._v(" sets the role name of the MongoDB role definition")])]),e._v(" "),a("li",[a("p",[a("code",[e._v("backend")]),e._v(" sets the path of the MongoDB mount to use")])]),e._v(" "),a("li",[a("p",[a("code",[e._v("username-property")]),e._v(" sets the property name in which the MongoDB username is stored")])]),e._v(" "),a("li",[a("p",[a("code",[e._v("password-property")]),e._v(" sets the property name in which the MongoDB password is stored")])])]),e._v(" "),a("p",[e._v("See also: "),a("a",{attrs:{href:"https://www.vaultproject.io/docs/secrets/mongodb/index.html",target:"_blank",rel:"noopener noreferrer"}},[e._v("Vault Documentation: Setting up MongoDB with Vault"),a("OutboundLink")],1)]),e._v(" "),a("h3",{attrs:{id:"_8-7-mysql"}},[a("a",{staticClass:"header-anchor",attrs:{href:"#_8-7-mysql"}},[e._v("#")]),e._v(" 8.7. MySQL")]),e._v(" "),a("table",[a("thead",[a("tr",[a("th"),e._v(" "),a("th",[e._v("The "),a("code",[e._v("mysql")]),e._v(" backend has been deprecated in Vault 0.7.1 and it is recommended to use the "),a("code",[e._v("database")]),e._v(" backend and mount it as "),a("code",[e._v("mysql")]),e._v("."),a("br"),e._v("Configuration for "),a("code",[e._v("spring.cloud.vault.mysql")]),e._v(" will be removed in a future version.")])])]),e._v(" "),a("tbody")]),e._v(" "),a("p",[e._v("Spring Cloud Vault can obtain credentials for MySQL.\nThe integration can be enabled by setting"),a("code",[e._v("spring.cloud.vault.mysql.enabled=true")]),e._v(" (default "),a("code",[e._v("false")]),e._v(") and providing the role name with "),a("code",[e._v("spring.cloud.vault.mysql.role=…")]),e._v(".")]),e._v(" "),a("p",[e._v("Username and password are available from "),a("code",[e._v("spring.datasource.username")]),e._v("and "),a("code",[e._v("spring.datasource.password")]),e._v(" properties so using Spring Boot will pick up the generated credentials without further configuration.\nYou can configure the property names by setting"),a("code",[e._v("spring.cloud.vault.mysql.username-property")]),e._v(" and"),a("code",[e._v("spring.cloud.vault.mysql.password-property")]),e._v(".")]),e._v(" "),a("div",{staticClass:"language- extra-class"},[a("pre",{pre:!0,attrs:{class:"language-text"}},[a("code",[e._v("spring.cloud.vault:\n mysql:\n enabled: true\n role: readonly\n backend: mysql\n username-property: spring.datasource.username\n password-property: spring.datasource.password\n")])])]),a("ul",[a("li",[a("p",[a("code",[e._v("enabled")]),e._v(" setting this value to "),a("code",[e._v("true")]),e._v(" enables the MySQL backend config usage")])]),e._v(" "),a("li",[a("p",[a("code",[e._v("role")]),e._v(" sets the role name of the MySQL role definition")])]),e._v(" "),a("li",[a("p",[a("code",[e._v("backend")]),e._v(" sets the path of the MySQL mount to use")])]),e._v(" "),a("li",[a("p",[a("code",[e._v("username-property")]),e._v(" sets the property name in which the MySQL username is stored")])]),e._v(" "),a("li",[a("p",[a("code",[e._v("password-property")]),e._v(" sets the property name in which the MySQL password is stored")])])]),e._v(" "),a("p",[e._v("See also: "),a("a",{attrs:{href:"https://www.vaultproject.io/docs/secrets/mysql/index.html",target:"_blank",rel:"noopener noreferrer"}},[e._v("Vault Documentation: Setting up MySQL with Vault"),a("OutboundLink")],1)]),e._v(" "),a("h3",{attrs:{id:"_8-8-postgresql"}},[a("a",{staticClass:"header-anchor",attrs:{href:"#_8-8-postgresql"}},[e._v("#")]),e._v(" 8.8. PostgreSQL")]),e._v(" "),a("table",[a("thead",[a("tr",[a("th"),e._v(" "),a("th",[e._v("The "),a("code",[e._v("postgresql")]),e._v(" backend has been deprecated in Vault 0.7.1 and it is recommended to use the "),a("code",[e._v("database")]),e._v(" backend and mount it as "),a("code",[e._v("postgresql")]),e._v("."),a("br"),e._v("Configuration for "),a("code",[e._v("spring.cloud.vault.postgresql")]),e._v(" will be removed in a future version.")])])]),e._v(" "),a("tbody")]),e._v(" "),a("p",[e._v("Spring Cloud Vault can obtain credentials for PostgreSQL.\nThe integration can be enabled by setting"),a("code",[e._v("spring.cloud.vault.postgresql.enabled=true")]),e._v(" (default "),a("code",[e._v("false")]),e._v(") and providing the role name with "),a("code",[e._v("spring.cloud.vault.postgresql.role=…")]),e._v(".")]),e._v(" "),a("p",[e._v("Username and password are available from "),a("code",[e._v("spring.datasource.username")]),e._v("and "),a("code",[e._v("spring.datasource.password")]),e._v(" properties so using Spring Boot will pick up the generated credentials without further configuration.\nYou can configure the property names by setting"),a("code",[e._v("spring.cloud.vault.postgresql.username-property")]),e._v(" and"),a("code",[e._v("spring.cloud.vault.postgresql.password-property")]),e._v(".")]),e._v(" "),a("div",{staticClass:"language- extra-class"},[a("pre",{pre:!0,attrs:{class:"language-text"}},[a("code",[e._v("spring.cloud.vault:\n postgresql:\n enabled: true\n role: readonly\n backend: postgresql\n username-property: spring.datasource.username\n password-property: spring.datasource.password\n")])])]),a("ul",[a("li",[a("p",[a("code",[e._v("enabled")]),e._v(" setting this value to "),a("code",[e._v("true")]),e._v(" enables the PostgreSQL backend config usage")])]),e._v(" "),a("li",[a("p",[a("code",[e._v("role")]),e._v(" sets the role name of the PostgreSQL role definition")])]),e._v(" "),a("li",[a("p",[a("code",[e._v("backend")]),e._v(" sets the path of the PostgreSQL mount to use")])]),e._v(" "),a("li",[a("p",[a("code",[e._v("username-property")]),e._v(" sets the property name in which the PostgreSQL username is stored")])]),e._v(" "),a("li",[a("p",[a("code",[e._v("password-property")]),e._v(" sets the property name in which the PostgreSQL password is stored")])])]),e._v(" "),a("p",[e._v("See also: "),a("a",{attrs:{href:"https://www.vaultproject.io/docs/secrets/postgresql/index.html",target:"_blank",rel:"noopener noreferrer"}},[e._v("Vault Documentation: Setting up PostgreSQL with Vault"),a("OutboundLink")],1)]),e._v(" "),a("h2",{attrs:{id:"_9-customize-which-secret-backends-to-expose-as-propertysource"}},[a("a",{staticClass:"header-anchor",attrs:{href:"#_9-customize-which-secret-backends-to-expose-as-propertysource"}},[e._v("#")]),e._v(" 9. Customize which secret backends to expose as PropertySource")]),e._v(" "),a("p",[e._v("Spring Cloud Vault uses property-based configuration to create "),a("code",[e._v("PropertySource")]),e._v("s for key-value and discovered secret backends.")]),e._v(" "),a("p",[e._v("Discovered backends provide "),a("code",[e._v("VaultSecretBackendDescriptor")]),e._v(" beans to describe the configuration state to use secret backend as "),a("code",[e._v("PropertySource")]),e._v(".\nA "),a("code",[e._v("SecretBackendMetadataFactory")]),e._v(" is required to create a "),a("code",[e._v("SecretBackendMetadata")]),e._v(" object which contains path, name and property transformation configuration.")]),e._v(" "),a("p",[a("code",[e._v("SecretBackendMetadata")]),e._v(" is used to back a particular "),a("code",[e._v("PropertySource")]),e._v(".")]),e._v(" "),a("p",[e._v("You can register a "),a("code",[e._v("VaultConfigurer")]),e._v(" for customization.\nDefault key-value and discovered backend registration is disabled if you provide a "),a("code",[e._v("VaultConfigurer")]),e._v(".\nYou can however enable default registration with"),a("code",[e._v("SecretBackendConfigurer.registerDefaultKeyValueSecretBackends()")]),e._v(" and "),a("code",[e._v("SecretBackendConfigurer.registerDefaultDiscoveredSecretBackends()")]),e._v(".")]),e._v(" "),a("div",{staticClass:"language- extra-class"},[a("pre",{pre:!0,attrs:{class:"language-text"}},[a("code",[e._v('public class CustomizationBean implements VaultConfigurer {\n\n @Override\n public void addSecretBackends(SecretBackendConfigurer configurer) {\n\n configurer.add("secret/my-application");\n\n configurer.registerDefaultKeyValueSecretBackends(false);\n configurer.registerDefaultDiscoveredSecretBackends(true);\n }\n}\n')])])]),a("div",{staticClass:"language- extra-class"},[a("pre",{pre:!0,attrs:{class:"language-text"}},[a("code",[e._v("SpringApplication application = new SpringApplication(MyApplication.class);\napplication.addBootstrapper(VaultBootstrapper.fromConfigurer(new CustomizationBean()));\n")])])]),a("h2",{attrs:{id:"_10-custom-secret-backend-implementations"}},[a("a",{staticClass:"header-anchor",attrs:{href:"#_10-custom-secret-backend-implementations"}},[e._v("#")]),e._v(" 10. Custom Secret Backend Implementations")]),e._v(" "),a("p",[e._v("Spring Cloud Vault ships with secret backend support for the most common backend integrations.\nYou can integrate with any kind of backend by providing an implementation that describes how to obtain data from the backend you want to use and how to surface data provided by that backend by providing a "),a("code",[e._v("PropertyTransformer")]),e._v(".")]),e._v(" "),a("p",[e._v("Adding a custom implementation for a backend requires implementation of two interfaces:")]),e._v(" "),a("ul",[a("li",[a("p",[a("code",[e._v("org.springframework.cloud.vault.config.VaultSecretBackendDescriptor")])])]),e._v(" "),a("li",[a("p",[a("code",[e._v("org.springframework.cloud.vault.config.SecretBackendMetadataFactory")])])])]),e._v(" "),a("p",[a("code",[e._v("VaultSecretBackendDescriptor")]),e._v(" is typically an object that holds configuration data, such as "),a("code",[e._v("VaultDatabaseProperties")]),e._v(". Spring Cloud Vault requires that your type is annotated with "),a("code",[e._v("@ConfigurationProperties")]),e._v(" to materialize the class from the configuration.")]),e._v(" "),a("p",[a("code",[e._v("SecretBackendMetadataFactory")]),e._v(" accepts "),a("code",[e._v("VaultSecretBackendDescriptor")]),e._v(" to create the actual "),a("code",[e._v("SecretBackendMetadata")]),e._v(" object which holds the context path within your Vault server, any path variables required to resolve parametrized context paths and "),a("code",[e._v("PropertyTransformer")]),e._v(".")]),e._v(" "),a("p",[e._v("Both, "),a("code",[e._v("VaultSecretBackendDescriptor")]),e._v(" and "),a("code",[e._v("SecretBackendMetadataFactory")]),e._v(" types must be registered in "),a("code",[e._v("spring.factories")]),e._v(" which is an extension mechanism provided by Spring, similar to Java’s ServiceLoader.")]),e._v(" "),a("h2",{attrs:{id:"_11-service-registry-configuration"}},[a("a",{staticClass:"header-anchor",attrs:{href:"#_11-service-registry-configuration"}},[e._v("#")]),e._v(" 11. Service Registry Configuration")]),e._v(" "),a("p",[e._v("You can use a "),a("code",[e._v("DiscoveryClient")]),e._v(" (such as from Spring Cloud Consul) to locate a Vault server by setting spring.cloud.vault.discovery.enabled=true (default "),a("code",[e._v("false")]),e._v(").\nThe net result of that is that your apps need a application.yml (or an environment variable) with the appropriate discovery configuration.\nThe benefit is that the Vault can change its co-ordinates, as long as the discovery service is a fixed point.\nThe default service id is "),a("code",[e._v("vault")]),e._v(" but you can change that on the client with"),a("code",[e._v("spring.cloud.vault.discovery.serviceId")]),e._v(".")]),e._v(" "),a("p",[e._v("The discovery client implementations all support some kind of metadata map (e.g. for Eureka we have eureka.instance.metadataMap).\nSome additional properties of the service may need to be configured in its service registration metadata so that clients can connect correctly.\nService registries that do not provide details about transport layer security need to provide a "),a("code",[e._v("scheme")]),e._v(" metadata entry to be set either to "),a("code",[e._v("https")]),e._v(" or "),a("code",[e._v("http")]),e._v(".\nIf no scheme is configured and the service is not exposed as secure service, then configuration defaults to "),a("code",[e._v("spring.cloud.vault.scheme")]),e._v(" which is "),a("code",[e._v("https")]),e._v(" when it’s not set.")]),e._v(" "),a("div",{staticClass:"language- extra-class"},[a("pre",{pre:!0,attrs:{class:"language-text"}},[a("code",[e._v("spring.cloud.vault.discovery:\n enabled: true\n service-id: my-vault-service\n")])])]),a("h2",{attrs:{id:"_12-vault-client-fail-fast"}},[a("a",{staticClass:"header-anchor",attrs:{href:"#_12-vault-client-fail-fast"}},[e._v("#")]),e._v(" 12. Vault Client Fail Fast")]),e._v(" "),a("p",[e._v("In some cases, it may be desirable to fail startup of a service if it cannot connect to the Vault Server.\nIf this is the desired behavior, set the bootstrap configuration property"),a("code",[e._v("spring.cloud.vault.fail-fast=true")]),e._v(" and the client will halt with an Exception.")]),e._v(" "),a("div",{staticClass:"language- extra-class"},[a("pre",{pre:!0,attrs:{class:"language-text"}},[a("code",[e._v("spring.cloud.vault:\n fail-fast: true\n")])])]),a("h2",{attrs:{id:"_13-vault-enterprise-namespace-support"}},[a("a",{staticClass:"header-anchor",attrs:{href:"#_13-vault-enterprise-namespace-support"}},[e._v("#")]),e._v(" 13. Vault Enterprise Namespace Support")]),e._v(" "),a("p",[e._v("Vault Enterprise allows using namespaces to isolate multiple Vaults on a single Vault server.\nConfiguring a namespace by setting"),a("code",[e._v("spring.cloud.vault.namespace=…")]),e._v(" enables the namespace header"),a("code",[e._v("X-Vault-Namespace")]),e._v(" on every outgoing HTTP request when using the Vault"),a("code",[e._v("RestTemplate")]),e._v(" or "),a("code",[e._v("WebClient")]),e._v(".")]),e._v(" "),a("p",[e._v("Please note that this feature is not supported by Vault Community edition and has no effect on Vault operations.")]),e._v(" "),a("div",{staticClass:"language- extra-class"},[a("pre",{pre:!0,attrs:{class:"language-text"}},[a("code",[e._v("spring.cloud.vault:\n namespace: my-namespace\n")])])]),a("p",[e._v("See also: "),a("a",{attrs:{href:"https://www.vaultproject.io/docs/enterprise/namespaces/index.html",target:"_blank",rel:"noopener noreferrer"}},[e._v("Vault Enterprise: Namespaces"),a("OutboundLink")],1)]),e._v(" "),a("h2",{attrs:{id:"_14-vault-client-ssl-configuration"}},[a("a",{staticClass:"header-anchor",attrs:{href:"#_14-vault-client-ssl-configuration"}},[e._v("#")]),e._v(" 14. Vault Client SSL configuration")]),e._v(" "),a("p",[e._v("SSL can be configured declaratively by setting various properties.\nYou can set either "),a("code",[e._v("javax.net.ssl.trustStore")]),e._v(" to configure JVM-wide SSL settings or "),a("code",[e._v("spring.cloud.vault.ssl.trust-store")]),e._v("to set SSL settings only for Spring Cloud Vault Config.")]),e._v(" "),a("div",{staticClass:"language- extra-class"},[a("pre",{pre:!0,attrs:{class:"language-text"}},[a("code",[e._v("spring.cloud.vault:\n ssl:\n trust-store: classpath:keystore.jks\n trust-store-password: changeit\n trust-store-type: JKS\n enabled-protocols: TLSv1.2,TLSv1.3\n enabled-cipher-suites: TLS_AES_128_GCM_SHA256\n")])])]),a("ul",[a("li",[a("p",[a("code",[e._v("trust-store")]),e._v(" sets the resource for the trust-store.\nSSL-secured Vault communication will validate the Vault SSL certificate with the specified trust-store.")])]),e._v(" "),a("li",[a("p",[a("code",[e._v("trust-store-password")]),e._v(" sets the trust-store password")])]),e._v(" "),a("li",[a("p",[a("code",[e._v("trust-store-type")]),e._v(" sets the trust-store type. Supported values are all supported "),a("code",[e._v("KeyStore")]),e._v(" types including "),a("code",[e._v("PEM")]),e._v(".")])]),e._v(" "),a("li",[a("p",[a("code",[e._v("enabled-protocols")]),e._v(" sets the list of enabled SSL/TLS protocols (since 3.0.2).")])]),e._v(" "),a("li",[a("p",[a("code",[e._v("enabled-cipher-suites")]),e._v(" sets the list of enabled SSL/TLS cipher suites (since 3.0.2).")])])]),e._v(" "),a("p",[e._v("Please note that configuring "),a("code",[e._v("spring.cloud.vault.ssl.*")]),e._v(" can be only applied when either Apache Http Components or the OkHttp client is on your class-path.")]),e._v(" "),a("h2",{attrs:{id:"_15-lease-lifecycle-management-renewal-and-revocation"}},[a("a",{staticClass:"header-anchor",attrs:{href:"#_15-lease-lifecycle-management-renewal-and-revocation"}},[e._v("#")]),e._v(" 15. Lease lifecycle management (renewal and revocation)")]),e._v(" "),a("p",[e._v("With every secret, Vault creates a lease:\nmetadata containing information such as a time duration, renewability, and more.")]),e._v(" "),a("p",[e._v("Vault promises that the data will be valid for the given duration, or Time To Live (TTL).\nOnce the lease is expired, Vault can revoke the data, and the consumer of the secret can no longer be certain that it is valid.")]),e._v(" "),a("p",[e._v("Spring Cloud Vault maintains a lease lifecycle beyond the creation of login tokens and secrets.\nThat said, login tokens and secrets associated with a lease are scheduled for renewal just before the lease expires until terminal expiry.\nApplication shutdown revokes obtained login tokens and renewable leases.")]),e._v(" "),a("p",[e._v("Secret service and database backends (such as MongoDB or MySQL) usually generate a renewable lease so generated credentials will be disabled on application shutdown.")]),e._v(" "),a("table",[a("thead",[a("tr",[a("th"),e._v(" "),a("th",[e._v("Static tokens are not renewed or revoked.")])])]),e._v(" "),a("tbody")]),e._v(" "),a("p",[e._v("Lease renewal and revocation is enabled by default and can be disabled by setting "),a("code",[e._v("spring.cloud.vault.config.lifecycle.enabled")]),e._v("to "),a("code",[e._v("false")]),e._v(".\nThis is not recommended as leases can expire and Spring Cloud Vault cannot longer access Vault or services using generated credentials and valid credentials remain active after application shutdown.")]),e._v(" "),a("div",{staticClass:"language- extra-class"},[a("pre",{pre:!0,attrs:{class:"language-text"}},[a("code",[e._v("spring.cloud.vault:\n config.lifecycle:\n enabled: true\n min-renewal: 10s\n expiry-threshold: 1m\n lease-endpoints: Legacy\n")])])]),a("ul",[a("li",[a("p",[a("code",[e._v("enabled")]),e._v(" controls whether leases associated with secrets are considered to be renewed and expired secrets are rotated.\nEnabled by default.")])]),e._v(" "),a("li",[a("p",[a("code",[e._v("min-renewal")]),e._v(" sets the duration that is at least required before renewing a lease.\nThis setting prevents renewals from happening too often.")])]),e._v(" "),a("li",[a("p",[a("code",[e._v("expiry-threshold")]),e._v(" sets the expiry threshold.\nA lease is renewed the configured period of time before it expires.")])]),e._v(" "),a("li",[a("p",[a("code",[e._v("lease-endpoints")]),e._v(" sets the endpoints for renew and revoke.\nLegacy for vault versions before 0.8 and SysLeases for later.")])])]),e._v(" "),a("p",[e._v("See also: "),a("a",{attrs:{href:"https://www.vaultproject.io/docs/concepts/lease.html",target:"_blank",rel:"noopener noreferrer"}},[e._v("Vault Documentation: Lease, Renew, and Revoke"),a("OutboundLink")],1)]),e._v(" "),a("h2",{attrs:{id:"_16-session-token-lifecycle-management-renewal-re-login-and-revocation"}},[a("a",{staticClass:"header-anchor",attrs:{href:"#_16-session-token-lifecycle-management-renewal-re-login-and-revocation"}},[e._v("#")]),e._v(" 16. Session token lifecycle management (renewal, re-login and revocation)")]),e._v(" "),a("p",[e._v("A Vault session token (also referred to as "),a("code",[e._v("LoginToken")]),e._v(") is quite similar to a lease as it has a TTL, max TTL, and may expire.\nOnce a login token expires, it cannot be used anymore to interact with Vault.\nTherefore, Spring Vault ships with a "),a("code",[e._v("SessionManager")]),e._v(" API for imperative and reactive use.")]),e._v(" "),a("p",[e._v("Spring Cloud Vault maintains the session token lifecycle by default.\nSession tokens are obtained lazily so the actual login is deferred until the first session-bound use of Vault.\nOnce Spring Cloud Vault obtains a session token, it retains it until expiry.\nThe next time a session-bound activity is used, Spring Cloud Vault re-logins into Vault and obtains a new session token.\nOn application shut down, Spring Cloud Vault revokes the token if it was still active to terminate the session.")]),e._v(" "),a("p",[e._v("Session lifecycle is enabled by default and can be disabled by setting "),a("code",[e._v("spring.cloud.vault.session.lifecycle.enabled")]),e._v("to "),a("code",[e._v("false")]),e._v(".\nDisabling is not recommended as session tokens can expire and Spring Cloud Vault cannot longer access Vault.")]),e._v(" "),a("div",{staticClass:"language- extra-class"},[a("pre",{pre:!0,attrs:{class:"language-text"}},[a("code",[e._v("spring.cloud.vault:\n session.lifecycle:\n enabled: true\n refresh-before-expiry: 10s\n expiry-threshold: 20s\n")])])]),a("ul",[a("li",[a("p",[a("code",[e._v("enabled")]),e._v(" controls whether session lifecycle management is enabled to renew session tokens.\nEnabled by default.")])]),e._v(" "),a("li",[a("p",[a("code",[e._v("refresh-before-expiry")]),e._v(" controls the point in time when the session token gets renewed.\nThe refresh time is calculated by subtracting "),a("code",[e._v("refresh-before-expiry")]),e._v(" from the token expiry time.\nDefaults to "),a("code",[e._v("5 seconds")]),e._v(".")])]),e._v(" "),a("li",[a("p",[a("code",[e._v("expiry-threshold")]),e._v(" sets the expiry threshold.\nThe threshold represents a minimum TTL duration to consider a session token as valid.\nTokens with a shorter TTL are considered expired and are not used anymore.\nShould be greater than "),a("code",[e._v("refresh-before-expiry")]),e._v(" to prevent token expiry.\nDefaults to "),a("code",[e._v("7 seconds")]),e._v(".")])])]),e._v(" "),a("p",[e._v("See also: "),a("a",{attrs:{href:"https://www.vaultproject.io/api-docs/auth/token#renew-a-token-self",target:"_blank",rel:"noopener noreferrer"}},[e._v("Vault Documentation: Token Renewal"),a("OutboundLink")],1)]),e._v(" "),a("h2",{attrs:{id:"appendix-a-common-application-properties"}},[a("a",{staticClass:"header-anchor",attrs:{href:"#appendix-a-common-application-properties"}},[e._v("#")]),e._v(" Appendix A: Common application properties")]),e._v(" "),a("p",[e._v("Various properties can be specified inside your "),a("code",[e._v("application.properties")]),e._v(" file, inside your "),a("code",[e._v("application.yml")]),e._v(" file, or as command line switches.\nThis appendix provides a list of common Spring Cloud Vault properties and references to the underlying classes that consume them.")]),e._v(" "),a("table",[a("thead",[a("tr",[a("th"),e._v(" "),a("th",[e._v("Property contributions can come from additional jar files on your classpath, so you should not consider this an exhaustive list."),a("br"),e._v("Also, you can define your own properties.")])])]),e._v(" "),a("tbody")]),e._v(" "),a("table",[a("thead",[a("tr",[a("th",[e._v("Name")]),e._v(" "),a("th",[e._v("Default")]),e._v(" "),a("th",[e._v("Description")])])]),e._v(" "),a("tbody",[a("tr",[a("td",[e._v("spring.cloud.vault.app-id.app-id-path")]),e._v(" "),a("td",[a("code",[e._v("app-id")])]),e._v(" "),a("td",[e._v("Mount path of the AppId authentication backend.")])]),e._v(" "),a("tr",[a("td",[e._v("spring.cloud.vault.app-id.network-interface")]),e._v(" "),a("td"),e._v(" "),a("td",[e._v('Network interface hint for the "MAC_ADDRESS" UserId mechanism.')])]),e._v(" "),a("tr",[a("td",[e._v("spring.cloud.vault.app-id.user-id")]),e._v(" "),a("td",[a("code",[e._v("MAC_ADDRESS")])]),e._v(" "),a("td",[e._v('UserId mechanism. Can be either "MAC_ADDRESS", "IP_ADDRESS", a string or a class name.')])]),e._v(" "),a("tr",[a("td",[e._v("spring.cloud.vault.app-role.app-role-path")]),e._v(" "),a("td",[a("code",[e._v("approle")])]),e._v(" "),a("td",[e._v("Mount path of the AppRole authentication backend.")])]),e._v(" "),a("tr",[a("td",[e._v("spring.cloud.vault.app-role.role")]),e._v(" "),a("td"),e._v(" "),a("td",[e._v("Name of the role, optional, used for pull-mode.")])]),e._v(" "),a("tr",[a("td",[e._v("spring.cloud.vault.app-role.role-id")]),e._v(" "),a("td"),e._v(" "),a("td",[e._v("The RoleId.")])]),e._v(" "),a("tr",[a("td",[e._v("spring.cloud.vault.app-role.secret-id")]),e._v(" "),a("td"),e._v(" "),a("td",[e._v("The SecretId.")])]),e._v(" "),a("tr",[a("td",[e._v("spring.cloud.vault.application-name")]),e._v(" "),a("td",[a("code",[e._v("application")])]),e._v(" "),a("td",[e._v("Application name for AppId authentication.")])]),e._v(" "),a("tr",[a("td",[e._v("spring.cloud.vault.authentication")]),e._v(" "),a("td"),e._v(" "),a("td")]),e._v(" "),a("tr",[a("td",[e._v("spring.cloud.vault.aws-ec2.aws-ec2-path")]),e._v(" "),a("td",[a("code",[e._v("aws-ec2")])]),e._v(" "),a("td",[e._v("Mount path of the AWS-EC2 authentication backend.")])]),e._v(" "),a("tr",[a("td",[e._v("spring.cloud.vault.aws-ec2.identity-document")]),e._v(" "),a("td",[a("code",[e._v("[169.254.169.254/latest/dynamic/instance-identity/pkcs7](http://169.254.169.254/latest/dynamic/instance-identity/pkcs7)")])]),e._v(" "),a("td",[e._v("URL of the AWS-EC2 PKCS7 identity document.")])]),e._v(" "),a("tr",[a("td",[e._v("spring.cloud.vault.aws-ec2.nonce")]),e._v(" "),a("td"),e._v(" "),a("td",[e._v("Nonce used for AWS-EC2 authentication. An empty nonce defaults to nonce generation.")])]),e._v(" "),a("tr",[a("td",[e._v("spring.cloud.vault.aws-ec2.role")]),e._v(" "),a("td"),e._v(" "),a("td",[e._v("Name of the role, optional.")])]),e._v(" "),a("tr",[a("td",[e._v("spring.cloud.vault.aws-iam.aws-path")]),e._v(" "),a("td",[a("code",[e._v("aws")])]),e._v(" "),a("td",[e._v("Mount path of the AWS authentication backend.")])]),e._v(" "),a("tr",[a("td",[e._v("spring.cloud.vault.aws-iam.endpoint-uri")]),e._v(" "),a("td"),e._v(" "),a("td",[e._v("STS server URI. @since 2.2")])]),e._v(" "),a("tr",[a("td",[e._v("spring.cloud.vault.aws-iam.role")]),e._v(" "),a("td"),e._v(" "),a("td",[e._v("Name of the role, optional. Defaults to the friendly IAM name if not set.")])]),e._v(" "),a("tr",[a("td",[e._v("spring.cloud.vault.aws-iam.server-name")]),e._v(" "),a("td"),e._v(" "),a("td",[e._v("Name of the server used to set {@code X-Vault-AWS-IAM-Server-ID} header in the headers of login requests.")])]),e._v(" "),a("tr",[a("td",[e._v("spring.cloud.vault.aws.access-key-property")]),e._v(" "),a("td",[a("code",[e._v("cloud.aws.credentials.accessKey")])]),e._v(" "),a("td",[e._v("Target property for the obtained access key.")])]),e._v(" "),a("tr",[a("td",[e._v("spring.cloud.vault.aws.backend")]),e._v(" "),a("td",[a("code",[e._v("aws")])]),e._v(" "),a("td",[e._v("aws backend path.")])]),e._v(" "),a("tr",[a("td",[e._v("spring.cloud.vault.aws.credential-type")]),e._v(" "),a("td"),e._v(" "),a("td",[e._v("aws credential type")])]),e._v(" "),a("tr",[a("td",[e._v("spring.cloud.vault.aws.enabled")]),e._v(" "),a("td",[a("code",[e._v("false")])]),e._v(" "),a("td",[e._v("Enable aws backend usage.")])]),e._v(" "),a("tr",[a("td",[e._v("spring.cloud.vault.aws.role")]),e._v(" "),a("td"),e._v(" "),a("td",[e._v("Role name for credentials.")])]),e._v(" "),a("tr",[a("td",[e._v("spring.cloud.vault.aws.role-arn")]),e._v(" "),a("td"),e._v(" "),a("td",[e._v("Role arn for assumed_role in case we have multiple roles associated with the vault role. @since 3.0.2")])]),e._v(" "),a("tr",[a("td",[e._v("spring.cloud.vault.aws.secret-key-property")]),e._v(" "),a("td",[a("code",[e._v("cloud.aws.credentials.secretKey")])]),e._v(" "),a("td",[e._v("Target property for the obtained secret key.")])]),e._v(" "),a("tr",[a("td",[e._v("spring.cloud.vault.aws.session-token-key-property")]),e._v(" "),a("td",[a("code",[e._v("cloud.aws.credentials.sessionToken")])]),e._v(" "),a("td",[e._v("Target property for the obtained secret key.")])]),e._v(" "),a("tr",[a("td",[e._v("spring.cloud.vault.aws.ttl")]),e._v(" "),a("td",[a("code",[e._v("0")])]),e._v(" "),a("td",[e._v("TTL for sts tokens. Defaults to whatever the vault Role may have for Max. Also limited to what AWS supports to be the max for STS. @since 3.0.2")])]),e._v(" "),a("tr",[a("td",[e._v("spring.cloud.vault.azure-msi.azure-path")]),e._v(" "),a("td",[a("code",[e._v("azure")])]),e._v(" "),a("td",[e._v("Mount path of the Azure MSI authentication backend.")])]),e._v(" "),a("tr",[a("td",[e._v("spring.cloud.vault.azure-msi.identity-token-service")]),e._v(" "),a("td"),e._v(" "),a("td",[e._v("Identity token service URI. @since 3.0")])]),e._v(" "),a("tr",[a("td",[e._v("spring.cloud.vault.azure-msi.metadata-service")]),e._v(" "),a("td"),e._v(" "),a("td",[e._v("Instance metadata service URI. @since 3.0")])]),e._v(" "),a("tr",[a("td",[e._v("spring.cloud.vault.azure-msi.role")]),e._v(" "),a("td"),e._v(" "),a("td",[e._v("Name of the role.")])]),e._v(" "),a("tr",[a("td",[e._v("spring.cloud.vault.cassandra.backend")]),e._v(" "),a("td",[a("code",[e._v("cassandra")])]),e._v(" "),a("td",[e._v("Cassandra backend path.")])]),e._v(" "),a("tr",[a("td",[e._v("spring.cloud.vault.cassandra.enabled")]),e._v(" "),a("td",[a("code",[e._v("false")])]),e._v(" "),a("td",[e._v("Enable cassandra backend usage.")])]),e._v(" "),a("tr",[a("td",[e._v("spring.cloud.vault.cassandra.password-property")]),e._v(" "),a("td",[a("code",[e._v("spring.data.cassandra.password")])]),e._v(" "),a("td",[e._v("Target property for the obtained password.")])]),e._v(" "),a("tr",[a("td",[e._v("spring.cloud.vault.cassandra.role")]),e._v(" "),a("td"),e._v(" "),a("td",[e._v("Role name for credentials.")])]),e._v(" "),a("tr",[a("td",[e._v("spring.cloud.vault.cassandra.static-role")]),e._v(" "),a("td",[a("code",[e._v("false")])]),e._v(" "),a("td",[e._v("Enable static role usage. @since 2.2")])]),e._v(" "),a("tr",[a("td",[e._v("spring.cloud.vault.cassandra.username-property")]),e._v(" "),a("td",[a("code",[e._v("spring.data.cassandra.username")])]),e._v(" "),a("td",[e._v("Target property for the obtained username.")])]),e._v(" "),a("tr",[a("td",[e._v("spring.cloud.vault.config.lifecycle.enabled")]),e._v(" "),a("td",[a("code",[e._v("true")])]),e._v(" "),a("td",[e._v("Enable lifecycle management.")])]),e._v(" "),a("tr",[a("td",[e._v("spring.cloud.vault.config.lifecycle.expiry-threshold")]),e._v(" "),a("td"),e._v(" "),a("td",[e._v("The expiry threshold. {@link Lease} is renewed the given {@link Duration} before it expires. @since 2.2")])]),e._v(" "),a("tr",[a("td",[e._v("spring.cloud.vault.config.lifecycle.lease-endpoints")]),e._v(" "),a("td"),e._v(" "),a("td",[e._v("Set the {@link LeaseEndpoints} to delegate renewal/revocation calls to. {@link LeaseEndpoints} encapsulates differences between Vault versions that affect the location of renewal/revocation endpoints. Can be {@link LeaseEndpoints#SysLeases} for version 0.8 or above of Vault or {@link LeaseEndpoints#Legacy} for older versions (the default). @since 2.2")])]),e._v(" "),a("tr",[a("td",[e._v("spring.cloud.vault.config.lifecycle.min-renewal")]),e._v(" "),a("td"),e._v(" "),a("td",[e._v("The time period that is at least required before renewing a lease. @since 2.2")])]),e._v(" "),a("tr",[a("td",[e._v("spring.cloud.vault.config.order")]),e._v(" "),a("td",[a("code",[e._v("0")])]),e._v(" "),a("td",[e._v("Used to set a {@link org.springframework.core.env.PropertySource} priority. This is useful to use Vault as an override on other property sources. @see org.springframework.core.PriorityOrdered")])]),e._v(" "),a("tr",[a("td",[e._v("spring.cloud.vault.connection-timeout")]),e._v(" "),a("td",[a("code",[e._v("5000")])]),e._v(" "),a("td",[e._v("Connection timeout.")])]),e._v(" "),a("tr",[a("td",[e._v("spring.cloud.vault.consul.backend")]),e._v(" "),a("td",[a("code",[e._v("consul")])]),e._v(" "),a("td",[e._v("Consul backend path.")])]),e._v(" "),a("tr",[a("td",[e._v("spring.cloud.vault.consul.enabled")]),e._v(" "),a("td",[a("code",[e._v("false")])]),e._v(" "),a("td",[e._v("Enable consul backend usage.")])]),e._v(" "),a("tr",[a("td",[e._v("spring.cloud.vault.consul.role")]),e._v(" "),a("td"),e._v(" "),a("td",[e._v("Role name for credentials.")])]),e._v(" "),a("tr",[a("td",[e._v("spring.cloud.vault.consul.token-property")]),e._v(" "),a("td",[a("code",[e._v("spring.cloud.consul.token")])]),e._v(" "),a("td",[e._v("Target property for the obtained token.")])]),e._v(" "),a("tr",[a("td",[e._v("spring.cloud.vault.couchbase.backend")]),e._v(" "),a("td",[a("code",[e._v("database")])]),e._v(" "),a("td",[e._v("Couchbase backend path.")])]),e._v(" "),a("tr",[a("td",[e._v("spring.cloud.vault.couchbase.enabled")]),e._v(" "),a("td",[a("code",[e._v("false")])]),e._v(" "),a("td",[e._v("Enable couchbase backend usage.")])]),e._v(" "),a("tr",[a("td",[e._v("spring.cloud.vault.couchbase.password-property")]),e._v(" "),a("td",[a("code",[e._v("spring.couchbase.password")])]),e._v(" "),a("td",[e._v("Target property for the obtained password.")])]),e._v(" "),a("tr",[a("td",[e._v("spring.cloud.vault.couchbase.role")]),e._v(" "),a("td"),e._v(" "),a("td",[e._v("Role name for credentials.")])]),e._v(" "),a("tr",[a("td",[e._v("spring.cloud.vault.couchbase.static-role")]),e._v(" "),a("td",[a("code",[e._v("false")])]),e._v(" "),a("td",[e._v("Enable static role usage.")])]),e._v(" "),a("tr",[a("td",[e._v("spring.cloud.vault.couchbase.username-property")]),e._v(" "),a("td",[a("code",[e._v("spring.couchbase.username")])]),e._v(" "),a("td",[e._v("Target property for the obtained username.")])]),e._v(" "),a("tr",[a("td",[e._v("spring.cloud.vault.database.backend")]),e._v(" "),a("td",[a("code",[e._v("database")])]),e._v(" "),a("td",[e._v("Database backend path.")])]),e._v(" "),a("tr",[a("td",[e._v("spring.cloud.vault.database.enabled")]),e._v(" "),a("td",[a("code",[e._v("false")])]),e._v(" "),a("td",[e._v("Enable database backend usage.")])]),e._v(" "),a("tr",[a("td",[e._v("spring.cloud.vault.database.password-property")]),e._v(" "),a("td",[a("code",[e._v("spring.datasource.password")])]),e._v(" "),a("td",[e._v("Target property for the obtained password.")])]),e._v(" "),a("tr",[a("td",[e._v("spring.cloud.vault.database.role")]),e._v(" "),a("td"),e._v(" "),a("td",[e._v("Role name for credentials.")])]),e._v(" "),a("tr",[a("td",[e._v("spring.cloud.vault.database.static-role")]),e._v(" "),a("td",[a("code",[e._v("false")])]),e._v(" "),a("td",[e._v("Enable static role usage.")])]),e._v(" "),a("tr",[a("td",[e._v("spring.cloud.vault.database.username-property")]),e._v(" "),a("td",[a("code",[e._v("spring.datasource.username")])]),e._v(" "),a("td",[e._v("Target property for the obtained username.")])]),e._v(" "),a("tr",[a("td",[e._v("spring.cloud.vault.databases")]),e._v(" "),a("td"),e._v(" "),a("td")]),e._v(" "),a("tr",[a("td",[e._v("spring.cloud.vault.discovery.enabled")]),e._v(" "),a("td",[a("code",[e._v("false")])]),e._v(" "),a("td",[e._v("Flag to indicate that Vault server discovery is enabled (vault server URL will be looked up via discovery).")])]),e._v(" "),a("tr",[a("td",[e._v("spring.cloud.vault.discovery.service-id")]),e._v(" "),a("td",[a("code",[e._v("vault")])]),e._v(" "),a("td",[e._v("Service id to locate Vault.")])]),e._v(" "),a("tr",[a("td",[e._v("spring.cloud.vault.elasticsearch.backend")]),e._v(" "),a("td",[a("code",[e._v("database")])]),e._v(" "),a("td",[e._v("Database backend path.")])]),e._v(" "),a("tr",[a("td",[e._v("spring.cloud.vault.elasticsearch.enabled")]),e._v(" "),a("td",[a("code",[e._v("false")])]),e._v(" "),a("td",[e._v("Enable elasticsearch backend usage.")])]),e._v(" "),a("tr",[a("td",[e._v("spring.cloud.vault.elasticsearch.password-property")]),e._v(" "),a("td",[a("code",[e._v("spring.elasticsearch.rest.password")])]),e._v(" "),a("td",[e._v("Target property for the obtained password.")])]),e._v(" "),a("tr",[a("td",[e._v("spring.cloud.vault.elasticsearch.role")]),e._v(" "),a("td"),e._v(" "),a("td",[e._v("Role name for credentials.")])]),e._v(" "),a("tr",[a("td",[e._v("spring.cloud.vault.elasticsearch.static-role")]),e._v(" "),a("td",[a("code",[e._v("false")])]),e._v(" "),a("td",[e._v("Enable static role usage.")])]),e._v(" "),a("tr",[a("td",[e._v("spring.cloud.vault.elasticsearch.username-property")]),e._v(" "),a("td",[a("code",[e._v("spring.elasticsearch.rest.username")])]),e._v(" "),a("td",[e._v("Target property for the obtained username.")])]),e._v(" "),a("tr",[a("td",[e._v("spring.cloud.vault.enabled")]),e._v(" "),a("td",[a("code",[e._v("true")])]),e._v(" "),a("td",[e._v("Enable Vault config server.")])]),e._v(" "),a("tr",[a("td",[e._v("spring.cloud.vault.fail-fast")]),e._v(" "),a("td",[a("code",[e._v("false")])]),e._v(" "),a("td",[e._v("Fail fast if data cannot be obtained from Vault.")])]),e._v(" "),a("tr",[a("td",[e._v("spring.cloud.vault.gcp-gce.gcp-path")]),e._v(" "),a("td",[a("code",[e._v("gcp")])]),e._v(" "),a("td",[e._v("Mount path of the Kubernetes authentication backend.")])]),e._v(" "),a("tr",[a("td",[e._v("spring.cloud.vault.gcp-gce.role")]),e._v(" "),a("td"),e._v(" "),a("td",[e._v("Name of the role against which the login is being attempted.")])]),e._v(" "),a("tr",[a("td",[e._v("spring.cloud.vault.gcp-gce.service-account")]),e._v(" "),a("td"),e._v(" "),a("td",[e._v("Optional service account id. Using the default id if left unconfigured.")])]),e._v(" "),a("tr",[a("td",[e._v("spring.cloud.vault.gcp-iam.credentials.encoded-key")]),e._v(" "),a("td"),e._v(" "),a("td",[e._v("The base64 encoded contents of an OAuth2 account private key in JSON format.")])]),e._v(" "),a("tr",[a("td",[e._v("spring.cloud.vault.gcp-iam.credentials.location")]),e._v(" "),a("td"),e._v(" "),a("td",[e._v("Location of the OAuth2 credentials private key. Since this is a Resource, the private key can be in a multitude of locations, such as a local file system, classpath, URL, etc.")])]),e._v(" "),a("tr",[a("td",[e._v("spring.cloud.vault.gcp-iam.gcp-path")]),e._v(" "),a("td",[a("code",[e._v("gcp")])]),e._v(" "),a("td",[e._v("Mount path of the Kubernetes authentication backend.")])]),e._v(" "),a("tr",[a("td",[e._v("spring.cloud.vault.gcp-iam.jwt-validity")]),e._v(" "),a("td",[a("code",[e._v("15m")])]),e._v(" "),a("td",[e._v("Validity of the JWT token.")])]),e._v(" "),a("tr",[a("td",[e._v("spring.cloud.vault.gcp-iam.project-id")]),e._v(" "),a("td"),e._v(" "),a("td",[e._v("Overrides the GCP project Id.")])]),e._v(" "),a("tr",[a("td",[e._v("spring.cloud.vault.gcp-iam.role")]),e._v(" "),a("td"),e._v(" "),a("td",[e._v("Name of the role against which the login is being attempted.")])]),e._v(" "),a("tr",[a("td",[e._v("spring.cloud.vault.gcp-iam.service-account-id")]),e._v(" "),a("td"),e._v(" "),a("td",[e._v("Overrides the GCP service account Id.")])]),e._v(" "),a("tr",[a("td",[e._v("spring.cloud.vault.host")]),e._v(" "),a("td",[a("code",[e._v("localhost")])]),e._v(" "),a("td",[e._v("Vault server host.")])]),e._v(" "),a("tr",[a("td",[e._v("spring.cloud.vault.kubernetes.kubernetes-path")]),e._v(" "),a("td",[a("code",[e._v("kubernetes")])]),e._v(" "),a("td",[e._v("Mount path of the Kubernetes authentication backend.")])]),e._v(" "),a("tr",[a("td",[e._v("spring.cloud.vault.kubernetes.role")]),e._v(" "),a("td"),e._v(" "),a("td",[e._v("Name of the role against which the login is being attempted.")])]),e._v(" "),a("tr",[a("td",[e._v("spring.cloud.vault.kubernetes.service-account-token-file")]),e._v(" "),a("td",[a("code",[e._v("/var/run/secrets/kubernetes.io/serviceaccount/token")])]),e._v(" "),a("td",[e._v("Path to the service account token file.")])]),e._v(" "),a("tr",[a("td",[e._v("spring.cloud.vault.kv.application-name")]),e._v(" "),a("td",[a("code",[e._v("application")])]),e._v(" "),a("td",[e._v("Application name to be used for the context.")])]),e._v(" "),a("tr",[a("td",[e._v("spring.cloud.vault.kv.backend")]),e._v(" "),a("td",[a("code",[e._v("secret")])]),e._v(" "),a("td",[e._v("Name of the default backend.")])]),e._v(" "),a("tr",[a("td",[e._v("spring.cloud.vault.kv.backend-version")]),e._v(" "),a("td",[a("code",[e._v("2")])]),e._v(" "),a("td",[e._v("Key-Value backend version. Currently supported versions are:
- Version 1 (unversioned key-value backend).
- Version 2 (versioned key-value backend).
")])]),e._v(" "),a("tr",[a("td",[e._v("spring.cloud.vault.kv.default-context")]),e._v(" "),a("td",[a("code",[e._v("application")])]),e._v(" "),a("td",[e._v("Name of the default context.")])]),e._v(" "),a("tr",[a("td",[e._v("spring.cloud.vault.kv.enabled")]),e._v(" "),a("td",[a("code",[e._v("true")])]),e._v(" "),a("td",[e._v("Enable the kev-value backend.")])]),e._v(" "),a("tr",[a("td",[e._v("spring.cloud.vault.kv.profile-separator")]),e._v(" "),a("td",[a("code",[e._v("/")])]),e._v(" "),a("td",[e._v("Profile-separator to combine application name and profile.")])]),e._v(" "),a("tr",[a("td",[e._v("spring.cloud.vault.kv.profiles")]),e._v(" "),a("td"),e._v(" "),a("td",[e._v("List of active profiles. @since 3.0")])]),e._v(" "),a("tr",[a("td",[e._v("spring.cloud.vault.mongodb.backend")]),e._v(" "),a("td",[a("code",[e._v("mongodb")])]),e._v(" "),a("td",[e._v("MongoDB backend path.")])]),e._v(" "),a("tr",[a("td",[e._v("spring.cloud.vault.mongodb.enabled")]),e._v(" "),a("td",[a("code",[e._v("false")])]),e._v(" "),a("td",[e._v("Enable mongodb backend usage.")])]),e._v(" "),a("tr",[a("td",[e._v("spring.cloud.vault.mongodb.password-property")]),e._v(" "),a("td",[a("code",[e._v("spring.data.mongodb.password")])]),e._v(" "),a("td",[e._v("Target property for the obtained password.")])]),e._v(" "),a("tr",[a("td",[e._v("spring.cloud.vault.mongodb.role")]),e._v(" "),a("td"),e._v(" "),a("td",[e._v("Role name for credentials.")])]),e._v(" "),a("tr",[a("td",[e._v("spring.cloud.vault.mongodb.static-role")]),e._v(" "),a("td",[a("code",[e._v("false")])]),e._v(" "),a("td",[e._v("Enable static role usage. @since 2.2")])]),e._v(" "),a("tr",[a("td",[e._v("spring.cloud.vault.mongodb.username-property")]),e._v(" "),a("td",[a("code",[e._v("spring.data.mongodb.username")])]),e._v(" "),a("td",[e._v("Target property for the obtained username.")])]),e._v(" "),a("tr",[a("td",[e._v("spring.cloud.vault.mysql.backend")]),e._v(" "),a("td",[a("code",[e._v("mysql")])]),e._v(" "),a("td",[e._v("mysql backend path.")])]),e._v(" "),a("tr",[a("td",[e._v("spring.cloud.vault.mysql.enabled")]),e._v(" "),a("td",[a("code",[e._v("false")])]),e._v(" "),a("td",[e._v("Enable mysql backend usage.")])]),e._v(" "),a("tr",[a("td",[e._v("spring.cloud.vault.mysql.password-property")]),e._v(" "),a("td",[a("code",[e._v("spring.datasource.password")])]),e._v(" "),a("td",[e._v("Target property for the obtained username.")])]),e._v(" "),a("tr",[a("td",[e._v("spring.cloud.vault.mysql.role")]),e._v(" "),a("td"),e._v(" "),a("td",[e._v("Role name for credentials.")])]),e._v(" "),a("tr",[a("td",[e._v("spring.cloud.vault.mysql.username-property")]),e._v(" "),a("td",[a("code",[e._v("spring.datasource.username")])]),e._v(" "),a("td",[e._v("Target property for the obtained username.")])]),e._v(" "),a("tr",[a("td",[e._v("spring.cloud.vault.namespace")]),e._v(" "),a("td"),e._v(" "),a("td",[e._v("Vault namespace (requires Vault Enterprise).")])]),e._v(" "),a("tr",[a("td",[e._v("spring.cloud.vault.pcf.instance-certificate")]),e._v(" "),a("td"),e._v(" "),a("td",[e._v("Path to the instance certificate (PEM). Defaults to {@code CF_INSTANCE_CERT} env variable.")])]),e._v(" "),a("tr",[a("td",[e._v("spring.cloud.vault.pcf.instance-key")]),e._v(" "),a("td"),e._v(" "),a("td",[e._v("Path to the instance key (PEM). Defaults to {@code CF_INSTANCE_KEY} env variable.")])]),e._v(" "),a("tr",[a("td",[e._v("spring.cloud.vault.pcf.pcf-path")]),e._v(" "),a("td",[a("code",[e._v("pcf")])]),e._v(" "),a("td",[e._v("Mount path of the Kubernetes authentication backend.")])]),e._v(" "),a("tr",[a("td",[e._v("spring.cloud.vault.pcf.role")]),e._v(" "),a("td"),e._v(" "),a("td",[e._v("Name of the role against which the login is being attempted.")])]),e._v(" "),a("tr",[a("td",[e._v("spring.cloud.vault.port")]),e._v(" "),a("td",[a("code",[e._v("8200")])]),e._v(" "),a("td",[e._v("Vault server port.")])]),e._v(" "),a("tr",[a("td",[e._v("spring.cloud.vault.postgresql.backend")]),e._v(" "),a("td",[a("code",[e._v("postgresql")])]),e._v(" "),a("td",[e._v("postgresql backend path.")])]),e._v(" "),a("tr",[a("td",[e._v("spring.cloud.vault.postgresql.enabled")]),e._v(" "),a("td",[a("code",[e._v("false")])]),e._v(" "),a("td",[e._v("Enable postgresql backend usage.")])]),e._v(" "),a("tr",[a("td",[e._v("spring.cloud.vault.postgresql.password-property")]),e._v(" "),a("td",[a("code",[e._v("spring.datasource.password")])]),e._v(" "),a("td",[e._v("Target property for the obtained username.")])]),e._v(" "),a("tr",[a("td",[e._v("spring.cloud.vault.postgresql.role")]),e._v(" "),a("td"),e._v(" "),a("td",[e._v("Role name for credentials.")])]),e._v(" "),a("tr",[a("td",[e._v("spring.cloud.vault.postgresql.username-property")]),e._v(" "),a("td",[a("code",[e._v("spring.datasource.username")])]),e._v(" "),a("td",[e._v("Target property for the obtained username.")])]),e._v(" "),a("tr",[a("td",[e._v("spring.cloud.vault.rabbitmq.backend")]),e._v(" "),a("td",[a("code",[e._v("rabbitmq")])]),e._v(" "),a("td",[e._v("rabbitmq backend path.")])]),e._v(" "),a("tr",[a("td",[e._v("spring.cloud.vault.rabbitmq.enabled")]),e._v(" "),a("td",[a("code",[e._v("false")])]),e._v(" "),a("td",[e._v("Enable rabbitmq backend usage.")])]),e._v(" "),a("tr",[a("td",[e._v("spring.cloud.vault.rabbitmq.password-property")]),e._v(" "),a("td",[a("code",[e._v("spring.rabbitmq.password")])]),e._v(" "),a("td",[e._v("Target property for the obtained password.")])]),e._v(" "),a("tr",[a("td",[e._v("spring.cloud.vault.rabbitmq.role")]),e._v(" "),a("td"),e._v(" "),a("td",[e._v("Role name for credentials.")])]),e._v(" "),a("tr",[a("td",[e._v("spring.cloud.vault.rabbitmq.username-property")]),e._v(" "),a("td",[a("code",[e._v("spring.rabbitmq.username")])]),e._v(" "),a("td",[e._v("Target property for the obtained username.")])]),e._v(" "),a("tr",[a("td",[e._v("spring.cloud.vault.reactive.enabled")]),e._v(" "),a("td",[a("code",[e._v("true")])]),e._v(" "),a("td",[e._v("Flag to indicate that reactive discovery is enabled")])]),e._v(" "),a("tr",[a("td",[e._v("spring.cloud.vault.read-timeout")]),e._v(" "),a("td",[a("code",[e._v("15000")])]),e._v(" "),a("td",[e._v("Read timeout.")])]),e._v(" "),a("tr",[a("td",[e._v("spring.cloud.vault.scheme")]),e._v(" "),a("td",[a("code",[e._v("https")])]),e._v(" "),a("td",[e._v('Protocol scheme. Can be either "http" or "https".')])]),e._v(" "),a("tr",[a("td",[e._v("spring.cloud.vault.session.lifecycle.enabled")]),e._v(" "),a("td",[a("code",[e._v("true")])]),e._v(" "),a("td",[e._v("Enable session lifecycle management.")])]),e._v(" "),a("tr",[a("td",[e._v("spring.cloud.vault.session.lifecycle.expiry-threshold")]),e._v(" "),a("td",[a("code",[e._v("7s")])]),e._v(" "),a("td",[e._v("The expiry threshold for a {@link LoginToken}. The threshold represents a minimum TTL duration to consider a login token as valid. Tokens with a shorter TTL are considered expired and are not used anymore. Should be greater than {@code refreshBeforeExpiry} to prevent token expiry.")])]),e._v(" "),a("tr",[a("td",[e._v("spring.cloud.vault.session.lifecycle.refresh-before-expiry")]),e._v(" "),a("td",[a("code",[e._v("5s")])]),e._v(" "),a("td",[e._v("The time period that is at least required before renewing the {@link LoginToken}.")])]),e._v(" "),a("tr",[a("td",[e._v("spring.cloud.vault.ssl.cert-auth-path")]),e._v(" "),a("td",[a("code",[e._v("cert")])]),e._v(" "),a("td",[e._v("Mount path of the TLS cert authentication backend.")])]),e._v(" "),a("tr",[a("td",[e._v("spring.cloud.vault.ssl.enabled-cipher-suites")]),e._v(" "),a("td"),e._v(" "),a("td",[e._v("List of enabled SSL/TLS cipher suites. @since 3.0.2")])]),e._v(" "),a("tr",[a("td",[e._v("spring.cloud.vault.ssl.enabled-protocols")]),e._v(" "),a("td"),e._v(" "),a("td",[e._v("List of enabled SSL/TLS protocol. @since 3.0.2")])]),e._v(" "),a("tr",[a("td",[e._v("spring.cloud.vault.ssl.key-store")]),e._v(" "),a("td"),e._v(" "),a("td",[e._v("Trust store that holds certificates and private keys.")])]),e._v(" "),a("tr",[a("td",[e._v("spring.cloud.vault.ssl.key-store-password")]),e._v(" "),a("td"),e._v(" "),a("td",[e._v("Password used to access the key store.")])]),e._v(" "),a("tr",[a("td",[e._v("spring.cloud.vault.ssl.key-store-type")]),e._v(" "),a("td"),e._v(" "),a("td",[e._v("Type of the key store. @since 3.0")])]),e._v(" "),a("tr",[a("td",[e._v("spring.cloud.vault.ssl.trust-store")]),e._v(" "),a("td"),e._v(" "),a("td",[e._v("Trust store that holds SSL certificates.")])]),e._v(" "),a("tr",[a("td",[e._v("spring.cloud.vault.ssl.trust-store-password")]),e._v(" "),a("td"),e._v(" "),a("td",[e._v("Password used to access the trust store.")])]),e._v(" "),a("tr",[a("td",[e._v("spring.cloud.vault.ssl.trust-store-type")]),e._v(" "),a("td"),e._v(" "),a("td",[e._v("Type of the trust store. @since 3.0")])]),e._v(" "),a("tr",[a("td",[e._v("spring.cloud.vault.token")]),e._v(" "),a("td"),e._v(" "),a("td",[e._v("Static vault token. Required if {@link #authentication} is {@code TOKEN}.")])]),e._v(" "),a("tr",[a("td",[e._v("spring.cloud.vault.uri")]),e._v(" "),a("td"),e._v(" "),a("td",[e._v("Vault URI. Can be set with scheme, host and port.")])])])])])}),[],!1,null,null,null);t.default=o.exports}}]);