Spring Vault

Spring Vault provides familiar Spring abstractions and client-side support for accessing, storing and revoking secrets. It offers both low-level and high-level abstractions for interacting with Vault, freeing the user from infrastructural concerns.

With HashiCorp’s Vault you have a central place to manage external secret data for applications across all environments. Vault can manage static and dynamic secrets such as application data, username/password for remote applications/resources and provide credentials for external services such as MySQL, PostgreSQL, Apache Cassandra, Consul, AWS and more.

Quick Start
Fork me on GitHub


  • Connection package as low-level abstraction
  • Reading, writing and deleting data from Vault with object mapping support
  • Multiple authentication mechanisms: AppId, AppRole, AWS EC2, Client Certificates, and Cubbyhole (wrapped/stored token)

Quick Start


The recommended way to get started using spring-vault in your project is with a dependency management system – the snippet below can be copied and pasted into your build. Need help? See our getting started guides on building with Maven and Gradle.

Configure VaultTemplate

class VaultConfiguration extends AbstractVaultConfiguration {

  public VaultEndpoint vaultEndpoint() {
    return new VaultEndpoint();

  public ClientAuthentication clientAuthentication() {
    return new TokenAuthentication("…");

Inject and use VaultTemplate

public class Example {

  // inject the actual template
  private VaultOperations operations;

  public void writeSecrets(String userId, String password) {

    Map<String, String> data = new HashMap<String, String>();
    data.put("password", password);

    operations.write(userId, data);

  public Person readSecrets(String userId) {

    VaultResponseSupport<Person> response = operations.read(userId, Person.class);
    return response.getBody();

Vault PropertySource

@VaultPropertySource(value = "aws/creds/s3",
  propertyNamePrefix = "aws."
  renewal = Renewal.RENEW)
public class MyConfig {


public class Example {

  // inject the actual values
  private String awsAccessKey;

  private String awsSecretKey;

  public InputStream getFileFromS3(String filenname) {
    // …