6

I am trying to use Spring Vault to provide a centralized service which provides storing and retrieving credential information capability for our micro-service eco-system. However our organization currently using cyber-ark for centralizing credentials so what I am looking for is to build a abstraction service which base on Spring Vault and use cyber-arkas storage engine for Harshicorp Vault.

desertnaut
  • 57,590
  • 26
  • 140
  • 166
Joey Trang
  • 1,105
  • 2
  • 23
  • 44

1 Answers1

1

You can use the Conjur (CyberArk Open Source and Entreprise) vault with Spring Boot. However you must use the java Api as mentioned here:

https://www.conjur.org/blog/loading-your-database-credentials-at-runtime-with-conjur/

1- You must download the conjur java-api from gitHub. (Build it and use as dependency in your spring boot app)

<!-- CONJUR CYBERARK -->
        <dependency>
            <groupId>net.conjur.api</groupId>
            <artifactId>conjur-api</artifactId>
            <version>2.2.1</version>
        </dependency>
 <!-- CONJUR CYBERARK -->

2- Make sure you have configured the conjur server and cli. https://www.conjur.org/get-started/quick-start/oss-environment/

3- Add as environment variables the conjur properties:

CONJUR_ACCOUNT=demo
CONJUR_AUTHN_LOGIN=host/demo-app
CONJUR_AUTHN_API_KEY=smzqbc31zk7gh2svfv8h3cvzy9a2059c399366jgk651343de79z6
CONJUR_APPLIANCE_URL=http://cyberark_conjur_1/api

Note: All above variables you get once you complete the conjur config related in the step 2.

4- In your Spring Boot App you can fetch DB credentials using conjur instead of having that hardcoded in your application.properties/yml as:

@Value("${CONJUR_AUTHN_LOGIN}")
private String conjurHostId;
@Value("${CONJUR_AUTHN_API_KEY}")
private String conjurAPIKey;
@Value("${spring.datasource.url}")
private String datasourceUrl;
@Value("${spring.datasource.driver-class-name}")
private String datasourceDriverClass;

@Bean
public DataSource dataSource() {
    Conjur conjur = new Conjur(conjurHostId, conjurAPIKey);
    String datasourceUsername =   
                conjur.variables().retrieveSecret("db/username");
    String datasourcePassword =
                conjur.variables().retrieveSecret("db/password");

    DriverManagerDataSource dataSource = new DriverManagerDataSource();
    dataSource.setUsername(datasourceUsername);
    dataSource.setPassword(datasourcePassword);
    dataSource.setUrl(datasourceUrl);
    dataSource.setDriverClassName(datasourceDriverClass);

    return dataSource;
}

After all you can run your spring boot app and it will authenticate with conjur and get the username + password for DB.

If you have saved other secrets in conjur server then you can access them as:

public Optional<String> findSecret(final String secretKey) {

        try {
            Conjur conjur = new Conjur();
            String secretFound = conjur.variables().retrieveSecret(secretKey);
            return Optional.ofNullable(secretFound);
        } catch (Exception e) {
            e.printStackTrace();
            throw new IllegalArgumentException(e.getMessage());
        }
    }

I cannot use CyberArk with Spring Cloud Vault. With Spring cloud Vault you have a better abstraction of vault but unfortunatelly only Hashicorp vault is supported (AFAIK).

Any other suggestion will be pretty appreciated.

Eddy Bayonne
  • 2,448
  • 1
  • 17
  • 23