A simple java library for interacting with Vault.
The VaultClient provides the four operations used on the generic secret backend: read, list, write and delete.
The VaultAdminClient extends VaultClient with a selection of APIs under the sys and auth paths. Please see the javadoc for exactly what APIs are available.
final VaultClient vaultClient = VaultClientFactory.getClient();The example above uses the DefaultVaultUrlResolver to resolve the URL for Vault.
For that to succeed, the environment variable, VAULT_ADDR, must be set:
VAULT_ADDR=http://vault
or the JVM system property, vault.addr, must be set:
vault.addr=http://vault
Again, for the example above, the DefaultVaultCredentialsProviderChain is used to resolve the token needed to interact with Vault.
For that to succeed, the environment variable, VAULT_TOKEN, must be set:
VAULT_TOKEN=TOKEN
or the JVM system property, vault.token, must be set:
vault.token=TOKEN
For scenarios where you want to source the URL from some other subsystem, you can easily implement your own URL resolver:
public class GuiceVaultUrlResolver implements UrlResolver {
private final String vaultAddr;
@Inject
public GuiceVaultUrlResolver(@Named("vault.addr") final String vaultAddr) {
this.vaultAddr = vaultAddr;
}
@Override
public String resolve() {
return vaultAddr;
}
}Use the factory class then to create a Vault client with this custom URL resolver:
final VaultClient vaultClient = VaultClientFactory.getClient(guiceVaultUrlResolver);Much like the URL resolver, you may need to source the Vault token for a different subsystem. Again, you can easily implement your own:
public class GuiceVaultCredentialsProvider implements VaultCredentialsProvider {
private final VaultCredentials vaultCredentials;
@Inject
public GuiceVaultCredentialsProvider(@Named("vault.token") final String vaultToken) {
this.vaultCredentials = new TokenVaultCredentials(vaultToken);
}
@Override
public VaultCredentials getCredentials() {
return vaultCredentials;
}
}Use the factory class then to create a Vault client with this custom credentials provider:
final VaultClient vaultClient = VaultClientFactory.getClient(new DefaultVaultUrlResolver(), guiceVaultCredentialsProvder);Vault client uses OkHttp client to make HTTP requests against Vault.
The default client configuration used by the Vault client sets the connect, request and response timeouts to 15 seconds. No other customizations are made.
If you need to customize the HTTP client further for any reason, such as custom SSL settings, you can do so.
final OkHttpClient httpClient = new OkHttpClient.Builder().build();
final VaultClient vaultClient = new VaultClient(new DefaultVaultUrlResolver(), new DefaultVaultCredentialsProviderChain(), httpClient);Vault client is a small project. It only has a few classes and they are all fully documented. For further details please see the source code, including javadocs and unit tests.
Vault client is released under the Apache License, Version 2.0