HashiCorp Vault for Main DataSource Credentials

I’d like to store credentials of the main datasource in HashiCorp Vault. Currently I configure the connection in the app.properties.

What approach would you recommend for implement this?


In CUBA, you can override getDataSourceParameters method of the DataSourceProvider bean. In this method, you can get parameters from the vault instead of properties.

Also, you can think of using Spring Profiles if you need two datasource providers: for dev (it will take connection data from properties) and for prod (it will take properties from vault).

I have attached a quick and dirty solution that implements this approach (without profiles tough). Please pay attention to spring.xml where I’ve overriden the datasource provider. I used spring-vault library and set up development vault configuration.

Some things are hardcoded, but you can read properties from the application properties file. Like in the VaultConfiguration bean where you can read token from the properties.

vault-test.zip (92.0 KB)

1 Like

Thank you very much!

Is there a reference for beans meant for overriding except source code?

Nope. I guess it is a minimum viable application, with no hidden or obfuscated code. But you need to set up the vault by yourself and change app settings according to vault settings.

And you need to put properties into the vault by yourself. Here you can find some inspiration too.

Thank you, I understand the Vault part of configuration to be done, I was just wandering on the CUBA deep learning resources.

To better understand the service override approach, you can look at the documentation.

Remember that in CUBA, you can override almost any piece of functionality, starting from database connection to user authorization.

Also, you might find these guides interesting.