Spring Cloud Azure secret management
This article applies to: ✅ Version 4.19.0 ✅ Version 5.19.0
Spring Cloud Azure construct PropertySource
which holds secrets stored in Azure Key Vault Secrets.
Dependency setup
<dependency>
<groupId>com.azure.spring</groupId>
<artifactId>spring-cloud-azure-starter-keyvault-secrets</artifactId>
</dependency>
Tip
We also provide spring-cloud-azure-starter-keyvault
to support all the features of Key Vault. If you choose to use it, spring.cloud.azure.keyvault.enable
is the property to configure and the default value is true. You can then use spring.cloud.azure.keyvault.<keyvault-service>.enable
to disable unneeded services.
Basic usage
If you want to authenticate by client-id
and client-secret
, the following properties are required:
Configuration Properties
spring:
cloud:
azure:
keyvault:
secret:
property-sources:
- name: key-vault-property-source-1
endpoint: ${ENDPOINT_1}
- name: key-vault-property-source-2
endpoint: ${ENDPOINT_2}
Java code
@SpringBootApplication
public class SampleApplication implements CommandLineRunner {
@Value("${sampleProperty1}")
private String sampleProperty1;
@Value("${sampleProperty2}")
private String sampleProperty2;
@Value("${samplePropertyInMultipleKeyVault}")
private String samplePropertyInMultipleKeyVault;
public static void main(String[] args) {
SpringApplication.run(SampleApplication.class, args);
}
public void run(String[] args) {
System.out.println("sampleProperty1: " + sampleProperty1);
System.out.println("sampleProperty2: " + sampleProperty2);
System.out.println("samplePropertyInMultipleKeyVault: " + samplePropertyInMultipleKeyVault);
}
}
Advanced usage
Special characters in property name
Key Vault secret names support only characters in [0-9a-zA-Z-]
. For more information, see theVault-name and Object-name section of Azure Key Vault keys, secrets and certificates overview. If your property name contains other characters, you can use the workarounds described in the following sections.
Use -
instead of .
in secret names
.
isn't supported in secret names. If your application has a property name that contains .
, such as spring.datasource.url
, replace .
with -
when saving the secret in Azure Key Vault. For example, save spring-datasource-url
in Azure Key Vault. In your application, you can still use spring.datasource.url
to retrieve the property value.
Note
This method cannot satisfy a requirement like spring.datasource-url
. When you save spring-datasource-url
in Key Vault, only spring.datasource.url
and spring-datasource-url
is supported to retrieve the property value, but spring.datasource-url
isn't supported. To handle this case, see the Use property placeholders section.
Use property placeholders
For example, suppose you're setting this property in your application.properties file:
property.with.special.character__=${propertyWithoutSpecialCharacter}
The application will get a propertyWithoutSpecialCharacter
key name and assign its value to property.with.special.character__
.
Case-sensitive
To enable case-sensitive mode, you can set the following property:
spring.cloud.azure.keyvault.secret.property-sources[].case-sensitive=true
Not retrieve all secrets in Key Vault
If you stored 1000 secrets in the Key Vault, and you just want to use 3 of them. You can list the 3 secret names by spring.cloud.azure.keyvault.secret.property-sources[].secret-keys
.
Setting refresh interval
By default, the secrets in KeyVaultPropertySource
will refresh every 30 minutes. You can configure the time by spring.cloud.azure.keyvault.secret.property-sources[].refresh-interval
. For example: spring.cloud.azure.keyvault.secret.property-sources[].refresh-interval=60m
means refresh every 60 minutes. Set to 0
to disable auto refresh.
PropertySource priority
If key exists in multiple PropertySources, which will take effect is decided by the priority.
- If there is no
SystemEnvironmentPropertySource
in thePropertySource
list, thenKeyVaultPropertySource
will take the highest priority. - If there is
SystemEnvironmentPropertySource
in thePropertySource
list, thenSystemEnvironmentPropertySource
have higher priority thanKeyVaultPropertySource
, which means you can use an environment variable to override the Key Vault secret value in your application. - If there are multiple key vault property sources in the
PropertySource
list, then the definition order is the priority order. Taking the above sample as an example,key-vault-property-source-1
has a higher priority thankey-vault-property-source-2
.
Configure token credential for Key Vault property source
If you need to use a specified token credential for Key Vault PropertySource
, you can register the TokenCredential
bean in the ConfigurableBootstrapContext
for KeyVaultEnvironmentPostProcessor
, this feature is supported from Spring Cloud Azure 5.19.0. Here is an example to use AzureCliCredential
:
public static void main(String[] args) {
SpringApplication application = new SpringApplication(PropertySourceApplication.class);
application.addBootstrapRegistryInitializer(registry ->
registry.register(TokenCredential.class, context -> new AzureCliCredentialBuilder().build()));
application.run(args);
}
All configurable properties
Property | Default value | Description |
---|---|---|
spring.cloud.azure.keyvault.secret.property-source-enabled | true | Whether to enable the Key Vault property source. |
spring.cloud.azure.keyvault.secret.property-sources[].name | Name of this property source. | |
spring.cloud.azure.keyvault.secret.property-sources[].endpoint | Azure Key Vault endpoint. | |
spring.cloud.azure.keyvault.secret.property-sources[].case-sensitive | false | Whether the secret keys are case-sensitive. |
spring.cloud.azure.keyvault.secret.property-sources[].secret-keys | The secret keys supported for this property source. All keys be retrieved if this property is missing. | |
spring.cloud.azure.keyvault.secret.property-sources[].refresh-interval | 30m | Time interval to refresh all Key Vault secrets. |
spring.cloud.azure.keyvault.secret.property-sources[].service-version | Secret service version used when making API requests. | |
spring.cloud.azure.keyvault.secret.property-sources[].client | Client related properties. | |
spring.cloud.azure.keyvault.secret.property-sources[].credential | Credential related properties. | |
spring.cloud.azure.keyvault.secret.property-sources[].profile | Profile related properties. | |
spring.cloud.azure.keyvault.secret.property-sources[].proxy | Proxy related properties. | |
spring.cloud.azure.keyvault.secret.property-sources[].retry | Retry related properties. |
- See Authorize access with Microsoft Entra ID to make sure the security principal has been granted the sufficient permission to access the Azure Key Vault Secrets.
- If common properties like
client
,credential
,profile
,proxy
,retry
aren't configured inspring.cloud.azure.keyvault.secret.property-sources[].xxx
,spring.cloud.azure.xxx
will be used. See Spring Cloud Azure configuration to get more information about these common properties. - See Spring Cloud Azure configuration properties to get more information about nested properties.
Samples
See the spring-cloud-azure-starter-keyvault-secrets samples on GitHub.