Vault for storing secrets (plus Spring Boot & Mongodb)

So this is a mix of a couple of howtos. First, we have a simple Spring Boot app that retrieves some data from a MongoDB database that has authentication enabled to access it. Next, we will see how to store secrets in a Vault implementation and then programmatically access it (in our case the user ID and password to access the database).

Setup a Local Mongodb instance

As always my instructions are for Mac. Make sure you have Homebrew installed.

We need some sample data to play with. Let’s use some Spotify top hits data extracts available on Kaggle. Download it from https://www.kaggle.com/datasets/josephinelsy/spotify-top-hit-playlist-2010-2022

To ensure data made it into the database, let’s spin up the Mongo shell and retrieve a document from the collection ‘hits’.

At the shell, you can switch to the spotifyhitsdb and retrieve one random document

Install Hashicorp Vault

Why do we use a Vault? When building enterprise software, we face the challenge of storing secrets or other such sensitive information that are not open to everyone. For example, the user ID and password to our database should not be accessible to everyone. Nor should they be hard-coded into configuration files checked into your code repository or stored in plain text on servers, etc. We need a centralized service that can scale for distributed systems and be governed by enterprise security policies. This is where tools like HashiCorp Vault comes into play. In this blog, I use HashiCorp Vault but the concepts are the same – protect sensitive data to protect your systems.

Next start a local Vault in development mode. It goes without saying that you will not use dev mode for production. In most enterprises, you will have InfoSec point you to a central Vault service and each team will not be spinning up one.

Store a Secret. In our case, it is the credentials to the MongoDB database.

 

How to turn ON Authentication for local Mongodb

Mongo provides multiple authentication mechanisms. For this blog, we will use SCRAM.

Edit /usr/local/etc/mongod.conf end ensure this entry is available

Next, restart mongodb with auth turned on

 

The Spring App

Check the VaultApplication for the example code that will access the Mongodb database and print sample data retrieved. To prove the credentials were retrieved we print the user ID (of course never do that in a real app). Code at –¬†https://github.com/thomasma/vault

VaultConfiguration is used to retrieve and make the credentials available for the connection code that resides in class MongoClientConfiguration.

 

We looked at two primitive operations above – storing and accessing a secret. But that is one piece of a much larger puzzle called Secrets Management. We need to be able to delete secrets, rotate secrets (due to changes in workforce or just good security policies), secure secrets using the highest encryption policies, govern who (user or system) has access, secret standards, maintain an audit of who has accessed the secrets, integrate this into other authentication systems (such as AWS, Azure, GCP), and so much more. Managing secrets is a complex and extremely critical responsibility and therefore you will often see commercial products stepping in (sometimes built on top of open source).