Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,423 questions
Integration of config-server and Azure Key Vault to serve client configurations
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(316.8, 2%, 40%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EVE%3C/text%3E%3C/svg%3E)
Victor Einstenberg
0
Reputation points
Hi folks,
I've asked before but got no response, so I did some exploration and I fill I have a better understanding and more info to bring.
To add context:
I have an actual setup of config-server + centralized git configuration repo + App client (running on an k8 cluster)
App connects to config-server, that connects to the git repo, fetch the configuration and serves back to the app, pretty standard setup for config-server
Now we are trying to use Azure Key Vault as backend for config-server, meaning that when config-server connect to the git repository, replace any placeholder in the configuration file with secrets from the AKV before it can serve it to the client. However this never happens, I can see that the config-server has all the secrets loaded as property-sources, but it never replaces the placeholders.
I've achieved that in previous project but using this solution below
https://github.com/srempfer/spring-cloud-config-azure-keyvault/tree/master
Which is pretty much outdated, and surprises me that the actual version dont have this feature embbed already.
Follow some configuration
config-server: 2023.0.3
spring-cloud-azure-starter-keyvault-secrets: 5.22.0
bootstrap.yaml (on config-server)
spring:
cloud:
config:
server:
allowOverride: true # Allows overriding properties from different sources.
enable-placeholder-resolution: true
azure:
keyvault:
secret:
property-source-enabled: true
property-sources[0]:
endpoint: "XXX"
credential:
client-id: "XXX"
client-secret: "XXX"
profile:
tenant-id: "XXX"
remote-config (application-dev.yaml) and I want ${simple.key} to be replaced by a value from the AKV
# logging:
# level:
# root: DEBUG
someKey: ${simple.key}
app:
message: Hello from ${environment.name} demo new message
new:
message: >-
Hello from big-message
This is a longer message
for the ${environment.name} environment
and ${someKey}
being pulled from the config repository
environment:
name: dev
management:
endpoint:
env:
show-values: "ALWAYS"
endpoints:
web:
exposure:
include: "*"
---
spring:
config:
activate:
on-profile: dev-east
app:
message: Hello from dev-east
---
spring:
config:
activate:
on-profile: dev-west
app:
message: Hello from dev-west
Please let me know if you guys think this result is achievable or will ahve to inject the azure keyvault starter on the application level (Which Ive tried and is able to resolve the placeholders after the config-serves the remote-config but, id like to keep it centralized)
Let me know your thoughts
Thanks
Victor
Azure Key Vault
{count} votes
-
Deleted
This comment has been deleted due to a violation of our Code of Conduct. The comment was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(281.6, 17%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGM%3C/text%3E%3C/svg%3E)
Givary-MSFT 35,601 Reputation points Microsoft Employee Moderator2025-05-07T13:55:20.54+00:00 @Victor Einstenberg Apologies for the delayed response, I have sent email and please check and let me know.
Sign in to comment
Sign in to answer