Spring Boot migration - KeyVault starter #10597
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,3 @@ | ||
| # Release History | ||
|
|
||
| ## 2.2.5-beta.1 (Unreleased) |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,104 @@ | ||
| ## Azure Key Vault Secrets Spring boot starter client library for Java | ||
| Azure Key Vault Secrets Spring boot starter is Spring starter for [Azure Key Vault Secrets](https://docs.microsoft.com/rest/api/keyvault/about-keys--secrets-and-certificates#BKMK_WorkingWithSecrets). With this starter, Azure Key Vault is added as one of Spring PropertySource, so secrets stored in Azure Key Vault could be easily used and conveniently accessed like other externalized configuration property, e.g. properties in files. | ||
|
|
||
| ## Key concepts | ||
|
|
||
| ## Getting started | ||
| ### Add the dependency | ||
|
|
||
| `azure-spring-boot-starter-keyvault-secrets` is published on Maven Central Repository. | ||
| If you are using Maven, add the following dependency. | ||
|
|
||
| [//]: # ({x-version-update-start;com.azure:azure-spring-boot-starter-keyvault-secrets;current}) | ||
|
Contributor
There was a problem hiding this comment. The artifactId in the tag and the artifactId in the XML snippet don't match. |
||
| ```xml | ||
| <dependency> | ||
| <groupId>com.azure</groupId> | ||
| <artifactId>azure-keyvault-secrets-spring-boot-starter</artifactId> | ||
| <version>2.2.5-beta.1</version> | ||
| </dependency> | ||
| ``` | ||
| [//]: # ({x-version-update-end}) | ||
|
|
||
| ### Custom settings | ||
| To use the custom configuration, open `application.properties` file and add below properties to specify your Azure Key Vault url, Azure service principal client id and client key. `azure.keyvault.enabled` is used to turn on/off Azure Key Vault Secret property source, default is true. `azure.keyvault.token-acquiring-timeout-seconds` is used to specify the timeout in seconds when acquiring token from Azure AAD. Default value is 60 seconds. This property is optional. `azure.keyvault.refresh-interval` is the period for PropertySource to refresh secret keys, its value is 1800000(ms) by default. This property is optional. `azure.keyvault.secret.keys` is a property to indicate that if application using specific secret keys, if this property is set, application will only load the keys in the property and won't load all the keys from keyvault, that means if you want to update your secrets, you need to restart the application rather than only add secrets in the keyvault. | ||
| ``` | ||
| azure.keyvault.enabled=true | ||
| azure.keyvault.uri=put-your-azure-keyvault-uri-here | ||
| azure.keyvault.client-id=put-your-azure-client-id-here | ||
| azure.keyvault.client-key=put-your-azure-client-key-here | ||
| azure.keyvault.tenant-id=put-your-azure-tenant-id-here | ||
| azure.keyvault.token-acquire-timeout-seconds=60 | ||
| azure.keyvault.refresh-interval=1800000 | ||
| azure.keyvault.secret.keys=key1,key2,key3 | ||
| ``` | ||
|
|
||
| ### Use MSI / Managed identities | ||
| #### App Services | ||
| To use managed identities for App Services - please refer to [How to use managed identities for App Service and Azure Functions](https://docs.microsoft.com/azure/app-service/app-service-managed-service-identity). | ||
|
|
||
| To use it in an App Service, add the below properties: | ||
| ``` | ||
| azure.keyvault.enabled=true | ||
| azure.keyvault.uri=put-your-azure-keyvault-uri-here | ||
| ``` | ||
|
|
||
| #### VM | ||
| To use it for virtual machines, please refer to [Azure AD managed identities for Azure resources documentation](https://docs.microsoft.com/azure/active-directory/managed-identities-azure-resources/). | ||
|
|
||
| To use it in a VM, add the below properties: | ||
| ``` | ||
| azure.keyvault.enabled=true | ||
| azure.keyvault.uri=put-your-azure-keyvault-uri-here | ||
| azure.keyvault.client-id=put-your-azure-client-id-here | ||
| ``` | ||
|
|
||
| If you are using system assigned identity you don't need to specify the client-id. | ||
|
|
||
| ### Save secrets in Azure Key Vault | ||
| Save secrets in Azure Key Vault through [Azure Portal](https://blogs.technet.microsoft.com/kv/2016/09/12/manage-your-key-vaults-from-new-azure-portal/) or [Azure CLI](https://docs.microsoft.com/cli/azure/keyvault/secret). | ||
|
|
||
| You can use the following Azure CLI command to save secrets, if Key Vault is already created. | ||
| ``` | ||
| az keyvault secret set --name <your-property-name> --value <your-secret-property-value> --vault-name <your-keyvault-name> | ||
| ``` | ||
| > NOTE | ||
| > To get detail steps on how setup Azure Key Vault, please refer to sample code readme section ["Setup Azure Key Vault"](../azure-spring-boot-samples/azure-spring-boot-sample-keyvault-secrets/README.md) | ||
|
|
||
| > **IMPORTANT** | ||
| > Allowed secret name pattern in Azure Key Vault is ^[0-9a-zA-Z-]+$, for some Spring system properties contains `.` like spring.datasource.url, do below workaround when you save it into Azure Key Vault: simply replace `.` to `-`. `spring.datasource.url` will be saved with name `spring-datasource-url` in Azure Key Vault. While in client application, use original `spring.datasource.url` to retrieve property value, this starter will take care of transformation for you. Purpose of using this way is to integrate with Spring existing property setting. | ||
|
|
||
| ### Get Key Vault secret value as property | ||
| Now, you can get Azure Key Vault secret value as a configuration property. | ||
|
|
||
| <!-- embedme ../azure-spring-boot/src/samples/java/com/azure/spring/keyvault/KeyVaultSample.java#L18-L32 --> | ||
| ``` | ||
| @SpringBootApplication | ||
| public class KeyVaultSample implements CommandLineRunner { | ||
|
|
||
| @Value("${your-property-name}") | ||
| private String mySecretProperty; | ||
|
|
||
| public static void main(String[] args) { | ||
| SpringApplication.run(KeyVaultSample.class, args); | ||
| } | ||
|
|
||
| @Override | ||
| public void run(String... args) { | ||
| System.out.println("property your-property-name value is: " + mySecretProperty); | ||
| } | ||
| } | ||
| ``` | ||
| ## Examples | ||
| Please refer to [sample project here](../azure-spring-boot-samples/azure-spring-boot-sample-keyvault-secrets). | ||
|
|
||
| ## Allow telemetry | ||
| Microsoft would like to collect data about how users use this Spring boot starter. Microsoft uses this information to improve our tooling experience. Participation is voluntary. If you don't want to participate, just simply disable it by setting below configuration in `application.properties`. | ||
| ``` | ||
| azure.keyvault.allow.telemetry=false | ||
| ``` | ||
| When telemetry is enabled, an HTTP request will be sent to URL `https://dc.services.visualstudio.com/v2/track`. So please make sure it's not blocked by your firewall. | ||
| Find more information about Azure Service Privacy Statement, please check [Microsoft Online Services Privacy Statement](https://www.microsoft.com/privacystatement/OnlineServices/Default.aspx). | ||
|
|
||
| ## Troubleshooting | ||
| ## Next steps | ||
| ## Contributing | ||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,129 @@ | ||
| <?xml version="1.0" encoding="UTF-8"?> | ||
| <project xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" | ||
| xmlns="http://maven.apache.org/POM/4.0.0" | ||
| xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd"> | ||
| <modelVersion>4.0.0</modelVersion> | ||
|
|
||
| <parent> | ||
| <groupId>com.azure</groupId> | ||
| <artifactId>azure-client-sdk-parent</artifactId> | ||
| <version>1.7.0</version> <!-- {x-version-update;com.azure:azure-client-sdk-parent;current} --> | ||
| <relativePath>../../parents/azure-client-sdk-parent</relativePath> | ||
| </parent> | ||
|
|
||
| <groupId>com.microsoft.azure</groupId> | ||
| <artifactId>azure-keyvault-secrets-spring-boot-starter</artifactId> | ||
| <version>2.2.5-beta.1</version> <!-- {x-version-update;com.microsoft.azure:azure-keyvault-secrets-spring-boot-starter;current} --> | ||
|
|
||
| <name>Azure Key Vault Secrets Spring Boot Starter</name> | ||
| <description>Spring Boot Starter supporting Azure Key Vault Secrets as PropertySource</description> | ||
| <url>https://github.com/Azure/azure-sdk-for-java</url> | ||
|
|
||
| <dependencies> | ||
| <dependency> | ||
| <groupId>org.springframework.boot</groupId> | ||
| <artifactId>spring-boot-starter</artifactId> | ||
| <version>2.2.0.RELEASE</version> <!-- {x-version-update;org.springframework.boot:spring-boot-starter;external_dependency} --> | ||
| </dependency> | ||
| <dependency> | ||
| <groupId>org.springframework.boot</groupId> | ||
| <artifactId>spring-boot-starter-validation</artifactId> | ||
| <version>2.2.0.RELEASE</version> <!-- {x-version-update;org.springframework.boot:spring-boot-starter-validation;external_dependency} --> | ||
| </dependency> | ||
| <dependency> | ||
| <groupId>com.microsoft.azure</groupId> | ||
| <artifactId>azure-spring-boot</artifactId> | ||
| <version>2.2.5-beta.1</version> <!-- {x-version-update;com.microsoft.azure:azure-spring-boot;current} --> | ||
| </dependency> | ||
| </dependencies> | ||
| <build> | ||
| <plugins> | ||
| <plugin> | ||
| <groupId>org.apache.maven.plugins</groupId> | ||
| <artifactId>maven-enforcer-plugin</artifactId> | ||
| <version>3.0.0-M3</version> <!-- {x-version-update;org.apache.maven.plugins:maven-enforcer-plugin;external_dependency} --> | ||
| <configuration> | ||
| <rules> | ||
| <bannedDependencies> | ||
| <includes> | ||
| <include>com.microsoft.azure:*</include> | ||
| <include>org.springframework.boot:spring-boot-starter:[2.2.0.RELEASE]</include> <!-- {x-include-update;org.springframework.boot:spring-boot-starter;external_dependency} --> | ||
| <include>org.springframework.boot:spring-boot-starter-validation:[2.2.0.RELEASE]</include> <!-- {x-include-update;org.springframework.boot:spring-boot-starter-validation;external_dependency} --> | ||
| </includes> | ||
| </bannedDependencies> | ||
| </rules> | ||
| </configuration> | ||
| </plugin> | ||
| <!-- START: Empty Java Doc --> | ||
| <!-- The following code will generate an empty javadoc with just a README.md. This is necessary | ||
| to pass the required checks on Maven. The way this works is by setting the classesDirectory | ||
| to a directory that only contains the README.md, which we need to copy. If the classesDirectory | ||
| is set to the root, where the README.md lives, it still won't have javadocs but the jar file | ||
| will contain a bunch of files that shouldn't be there. The faux sources directory is deleted | ||
| and recreated with the README.md being copied every time to guarantee that, when building locally, | ||
| it'll have the latest copy of the README.md file. | ||
| --> | ||
| <plugin> | ||
| <groupId>org.apache.maven.plugins</groupId> | ||
| <artifactId>maven-javadoc-plugin</artifactId> | ||
| <version>3.1.1</version> <!-- {x-version-update;org.apache.maven.plugins:maven-javadoc-plugin;external_dependency} --> | ||
| <executions> | ||
| <execution> | ||
| <id>attach-javadocs</id> | ||
| <goals> | ||
| <goal>jar</goal> | ||
| </goals> | ||
| <configuration> | ||
| <skip>true</skip> | ||
| </configuration> | ||
| </execution> | ||
| </executions> | ||
| </plugin> | ||
| <plugin> | ||
| <groupId>org.apache.maven.plugins</groupId> | ||
| <artifactId>maven-jar-plugin</artifactId> | ||
| <version>3.1.2</version> <!-- {x-version-update;org.apache.maven.plugins:maven-jar-plugin;external_dependency} --> | ||
| <executions> | ||
| <execution> | ||
| <id>empty-javadoc-jar-with-readme</id> | ||
| <phase>package</phase> | ||
| <goals> | ||
| <goal>jar</goal> | ||
| </goals> | ||
| <configuration> | ||
| <classifier>javadoc</classifier> | ||
| <classesDirectory>${project.basedir}/javadocTemp</classesDirectory> | ||
| </configuration> | ||
| </execution> | ||
| </executions> | ||
| </plugin> | ||
| <plugin> | ||
| <groupId>org.apache.maven.plugins</groupId> | ||
| <artifactId>maven-antrun-plugin</artifactId> | ||
| <version>1.8</version> <!-- {x-version-update;org.apache.maven.plugins:maven-antrun-plugin;external_dependency} --> | ||
| <executions> | ||
| <execution> | ||
| <id>copy-readme-to-javadocTemp</id> | ||
| <phase>prepare-package</phase> | ||
| <configuration> | ||
| <target> | ||
| <echo>Deleting existing ${project.basedir}/javadocTemp</echo> | ||
| <delete includeEmptyDirs="true" quiet="true"> | ||
| <fileset dir="${project.basedir}/javadocTemp"/> | ||
| </delete> | ||
| <echo>Copying ${project.basedir}/README.md to | ||
| ${project.basedir}/javadocTemp/README.md | ||
| </echo> | ||
| <copy file="${project.basedir}/README.md" tofile="${project.basedir}/javadocTemp/README.md"/> | ||
| </target> | ||
| </configuration> | ||
| <goals> | ||
| <goal>run</goal> | ||
| </goals> | ||
| </execution> | ||
| </executions> | ||
| </plugin> | ||
| <!-- END: Empty Java Doc --> | ||
| </plugins> | ||
| </build> | ||
| </project> |
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This tag doesn't match the artifactId below.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done