spring-boothashicorp-vaultspring-vaultspring-cloud-vault-config

Adding keys to Spring Boot vault


I am implementing Spring Boot vault. Whenever I try to add more than one key, only the last one is saved. For example, at this page, https://www.javainuse.com/spring/cloud-vault, they have this example

enter image description here

But when I then query the vault, I see

c:\vault>vault kv get secret/javainuseapp
======= Data =======
Key           Value
---           -----
dbpassword    root

If I set both keys at the same time, it seems to work

c:\vault>vault kv put secret/javainuseapp dbusername=root dbpassword=root
Success! Data written to: secret/javainuseapp

c:\vault>vault kv get secret/javainuseapp
======= Data =======
Key           Value
---           -----
dbpassword    root
dbusername    root

How does one add additional keys?


Solution

  • This is standard usage for the Vault API, and therefore also for the CLI which is a wrapper around the Golang bindings around the REST API. If you want to overwrite a key value pair with the Vault CLI and retain the former key value pairs, then you must additionally specify them like you did in the final example:

    kv put secret/javainuseapp dbusername=root dbpassword=root
    

    All key value pairs specified during the command for a specific path will be stored at that secret version (the version corresponding to an integer equal to the number of writes at that path, unless previous versions are deleted). All key value pairs are still stored, but at the previous secret version. When you execute the command vault kv get secret/javainuseapp, you are retrieving the secret at the current version corresponding to the most recent write.

    However, note that if the Vault policy or policies support patch operations on the secret path for the associated role/user/etc., then you can also execute a patch subcommand to only update one key value pair while retaining the others in the newest version of the secret:

    vault kv patch secret/javainuseapp dbusername=root
    

    and in that situation the dbpassword key will be retained in the newest secret version.