Camel offers several forms and levels of security capabilities that can be used on Camel routes. These various forms of security may be used in conjunction with each other or separately.
|
Note
|
This page describes the security features Camel offers to route authors and operators. For the project’s security model - who is trusted, where the trust boundaries sit, what counts as a framework vulnerability, and what is operator responsibility - see Security Model. Camel also includes a Security Policy Enforcement mechanism that detects insecure configuration (plain-text secrets, disabled SSL verification, unsafe deserialization, dev features in production) at startup time. |
The broad categories offered are:
-
Route Security - Authentication and Authorization services to proceed on a route or route segment
-
Payload Security - Data Formats that offer encryption/decryption services at the payload level
-
Endpoint Security - Security offered by components that can be utilized by endpointUri associated with the component
-
Configuration Security - Security offered by encrypting sensitive information from configuration files or external Secured Vault systems.
Camel offers the JSSE Utility for configuring SSL/TLS related aspects of a number of Camel components.
Authentication and Authorization Services
Camel offers Route Policy driven security capabilities that may be wired into routes or route segments. A route policy in Camel utilizes a strategy pattern for applying interceptors on Camel Processors. It’s offering the ability to apply cross-cutting concerns (for example. security, transactions etc.) of a Camel route.
The components offering authentication and authorization services
utilizing Route Policy based on org.apache.camel.spi.AuthorizationPolicy are:
-
Shiro Security
-
Spring Security
Camel offers encryption/decryption services to secure payloads or selectively apply encryption/decryption capabilities on portions/sections of a payload.
The data-formats offering encryption/decryption of payloads utilizing Marshal are:
-
Crypto
-
PGP
-
Post Quantum Cryptography
-
XML Security
Some components in Camel offer an ability to secure their endpoints (using interceptors etc.) and therefore ensure that they offer the ability to secure payloads as well as provide authentication/authorization capabilities at endpoints created using the components.
Camel provides Post-Quantum Cryptography (PQC) protection at two complementary layers:
-
Transport layer (TLS). On JDK 25+, Camel automatically configures hybrid post-quantum key exchange (
X25519MLKEM768) on allSSLContextParametersto protect connections against harvest-now-decrypt-later attacks. See PQC TLS Configuration for the full configuration guide. -
Message layer. The PQC component and PQC data format encrypt and sign message payloads using post-quantum algorithms (ML-KEM, ML-DSA, SLH-DSA, and more), protecting data independently of the transport.
Camel offers the Properties component to externalize configuration values to properties files. Those values could contain sensitive information such as usernames and passwords.
Those values can be encrypted and automatically decrypted by Camel using:
-
Jasypt
Camel also supports accessing the secured configuration from an external vault systems.
The following Vaults are supported by Camel:
-
AWS Secrets Manager
-
Azure Key Vault
-
CyberArk Conjur Vault
-
Google Secret Manager
-
Hashicorp Vault
-
IBM Secrets Manager
All vault providers use the same property placeholder syntax. The prefix identifies which vault to use:
| Provider | Prefix | Required JAR |
|---|---|---|
AWS Secrets Manager |
|
|
Google Secret Manager |
|
|
Azure Key Vault |
|
|
Hashicorp Vault |
|
|
IBM Secrets Manager |
|
|
CyberArk Conjur |
|
|
The following syntax forms are supported (replace <prefix> with the provider prefix from the table above):
{{<prefix>:secretName}} (1)
{{<prefix>:secretName:defaultValue}} (2)
{{<prefix>:secretName#fieldName}} (3)
{{<prefix>:secretName#fieldName:defaultValue}} (4)-
Lookup the secret value. Fails if the secret does not exist.
-
Lookup the secret value, falling back to
defaultValueif the secret does not exist. -
Lookup a specific field from a JSON-structured secret.
-
Lookup a specific field, with a fallback default value.
For example, if you have a JSON secret named database:
{
"username": "admin",
"password": "password123",
"engine": "postgres",
"host": "127.0.0.1",
"port": "3128",
"dbname": "db"
}You can access individual fields using the # syntax:
- Java
-
from("direct:start") .log("Username is {{aws:database#username}}") .log("Password is {{aws:database#password:secret}}");
- XML
-
<route> <from uri="direct:start"/> <log message="Username is {{aws:database#username}}"/> <log message="Password is {{aws:database#password:secret}}"/> </route>
- YAML
-
- route: from: uri: direct:start steps: - log: message: "Username is {{aws:database#username}}" - log: message: "Password is {{aws:database#password:secret}}"
The examples above use the aws: prefix but the same syntax works with any provider prefix (gcp:, azure:, hashicorp:, ibm:, cyberark:).
Hashicorp Vault, IBM Secrets Manager, and CyberArk Conjur support retrieving a specific version of a secret using the @ suffix:
{{hashicorp:secret:route@2}} (1)
{{hashicorp:route:defaultValue@2}} (2)
{{hashicorp:secret:database#username:admin@2}} (3)
{{ibm:default:route@2}} (4)
{{cyberark:route@2}} (5)-
Hashicorp: get secret
routeat version 2 from thesecretengine. -
Hashicorp: get secret
routeat version 2, with default fallback. -
Hashicorp: get field
usernamefrom secretdatabaseat version 2. -
IBM: get secret
routeat version 2 from thedefaultsecret group. -
CyberArk: get secret
routeat version 2.
To use AWS Secrets Manager, you need to provide accessKey, secretKey and the region. This can be done using environmental variables before starting the application:
export $CAMEL_VAULT_AWS_ACCESS_KEY=accessKey
export $CAMEL_VAULT_AWS_SECRET_KEY=secretKey
export $CAMEL_VAULT_AWS_REGION=regionYou can also configure the credentials in the application.properties file such as:
camel.vault.aws.accessKey = accessKey
camel.vault.aws.secretKey = secretKey
camel.vault.aws.region = regionIf you want instead to use the AWS default credentials provider, you’ll need to provide the following env variables:
export $CAMEL_VAULT_AWS_USE_DEFAULT_CREDENTIALS_PROVIDER=true
export $CAMEL_VAULT_AWS_REGION=regionYou can also configure the credentials in the application.properties file such as:
camel.vault.aws.defaultCredentialsProvider = true
camel.vault.aws.region = regionIt is also possible to specify a particular profile name for accessing AWS Secrets Manager:
export $CAMEL_VAULT_AWS_USE_PROFILE_CREDENTIALS_PROVIDER=true
export $CAMEL_VAULT_AWS_PROFILE_NAME=test-account
export $CAMEL_VAULT_AWS_REGION=regionYou can also configure the credentials in the application.properties file such as:
camel.vault.aws.profileCredentialsProvider = true
camel.vault.aws.profileName = test-account
camel.vault.aws.region = regionAt this point you’ll be able to reference a property by using aws: as prefix in the {{ }} syntax.
See Vault Usage Syntax for the full syntax reference.
The only requirement is adding camel-aws-secrets-manager JAR to your Camel application.
To use GCP Secret Manager, you need to provide serviceAccountKey file and GCP projectId. This can be done using environmental variables before starting the application:
export $CAMEL_VAULT_GCP_SERVICE_ACCOUNT_KEY=file:////path/to/service.accountkey
export $CAMEL_VAULT_GCP_PROJECT_ID=projectIdYou can also configure the credentials in the application.properties file such as:
camel.vault.gcp.serviceAccountKey = accessKey
camel.vault.gcp.projectId = secretKeyIf you want instead to use the GCP default client instance, you’ll need to provide the following env variables:
export $CAMEL_VAULT_GCP_USE_DEFAULT_INSTANCE=true
export $CAMEL_VAULT_GCP_PROJECT_ID=projectIdYou can also configure the credentials in the application.properties file such as:
camel.vault.gcp.useDefaultInstance = true
camel.vault.gcp.projectId = projectIdAt this point you’ll be able to reference a property by using gcp: as prefix in the {{ }} syntax.
See Vault Usage Syntax for the full syntax reference.
There are only two requirements:
- Adding camel-google-secret-manager JAR to your Camel application.
- Give the service account used permissions to do operation at secret management level (for example accessing the secret payload, or being admin of secret manager service)
To use this function, you’ll need to provide credentials to Azure Key Vault Service as environment variables:
export $CAMEL_VAULT_AZURE_TENANT_ID=tenantId
export $CAMEL_VAULT_AZURE_CLIENT_ID=clientId
export $CAMEL_VAULT_AZURE_CLIENT_SECRET=clientSecret
export $CAMEL_VAULT_AZURE_VAULT_NAME=vaultNameYou can also configure the credentials in the application.properties file such as:
camel.vault.azure.tenantId = accessKey
camel.vault.azure.clientId = clientId
camel.vault.azure.clientSecret = clientSecret
camel.vault.azure.vaultName = vaultNameOr you can enable the usage of Azure Identity in the following way:
export $CAMEL_VAULT_AZURE_IDENTITY_ENABLED=true
export $CAMEL_VAULT_AZURE_VAULT_NAME=vaultNameYou can also enable the usage of Azure Identity in the application.properties file such as:
camel.vault.azure.azureIdentityEnabled = true
camel.vault.azure.vaultName = vaultNameAt this point you’ll be able to reference a property by using azure: as prefix in the {{ }} syntax.
See Vault Usage Syntax for the full syntax reference.
The only requirement is adding the camel-azure-key-vault JAR to your Camel application.
To use this function, you’ll need to provide credentials for Hashicorp vault as environment variables:
export $CAMEL_VAULT_HASHICORP_TOKEN=token
export $CAMEL_VAULT_HASHICORP_HOST=host
export $CAMEL_VAULT_HASHICORP_PORT=port
export $CAMEL_VAULT_HASHICORP_SCHEME=http/httpsYou can also configure the credentials in the application.properties file such as:
camel.vault.hashicorp.token = token
camel.vault.hashicorp.host = host
camel.vault.hashicorp.port = port
camel.vault.hashicorp.scheme = schemeIf the running Hashicorp Vault instance is on Hashicorp Cloud, two additional parameters are required:
export CAMEL_HASHICORP_VAULT_CLOUD=true
export CAMEL_HASHICORP_VAULT_NAMESPACE=namespaceOr in application.properties:
camel.vault.hashicorp.cloud = true
camel.vault.hashicorp.namespace = namespaceAt this point you’ll be able to reference a property by using hashicorp: as prefix in the {{ }} syntax.
Hashicorp Vault also supports version-specific lookups using the @ suffix.
See Vault Usage Syntax for the full syntax reference.
The only requirement is adding the camel-hashicorp-vault JAR to your Camel application.
To use this function, you’ll need to provide credentials for IBM Secrets Manager vault as environment variables:
export CAMEL_VAULT_IBM_TOKEN=token
export CAMEL_VAULT_IBM_SERVICE_URL=serviceUrlYou can also configure the credentials in the application.properties file such as:
camel.vault.ibm.token = token
camel.vault.ibm.serviceUrl = serviceUrl|
Note
|
If you’re running the application on a Kubernetes based cloud platform, you can initialize the environment variables from a Secret or Configmap to enhance security. You can also enhance security by setting a Secret property placeholder which will be initialized at application runtime only. |
|
Note
|
camel.vault.ibm configuration only applies to the IBM Secrets Manager Vault properties function (E.g when resolving properties).
When using the operation option to create, get, list secrets etc., you should provide the token and serviceUrl options.
|
IBM Secrets Manager organizes secrets into secret groups. The syntax includes the group name (e.g. default):
{{ibm:default:secretName}}, {{ibm:default:secretName:fallback}}, {{ibm:default:secretName#field}},
{{ibm:default:secretName#field:fallback}}.
IBM also supports version-specific lookups using the @ suffix.
See Vault Usage Syntax for the full syntax reference.
The only requirement is adding the camel-ibm-secrets-manager JAR to your Camel application.
To use this function, you’ll need to provide credentials for CyberArk Conjur as environment variables:
export CAMEL_VAULT_CYBERARK_URL=https://conjur.example.com
export CAMEL_VAULT_CYBERARK_ACCOUNT=myaccount
export CAMEL_VAULT_CYBERARK_USERNAME=admin
export CAMEL_VAULT_CYBERARK_API_KEY=3ahx8dy3...You can also configure the credentials in the application.properties file such as:
camel.vault.cyberark.url = https://conjur.example.com
camel.vault.cyberark.account = myaccount
camel.vault.cyberark.username = admin
camel.vault.cyberark.apiKey = 3ahx8dy3...Alternatively, you can use username and password authentication:
export CAMEL_VAULT_CYBERARK_URL=https://conjur.example.com
export CAMEL_VAULT_CYBERARK_ACCOUNT=myaccount
export CAMEL_VAULT_CYBERARK_USERNAME=admin
export CAMEL_VAULT_CYBERARK_PASSWORD=secretpasswordOr in application.properties:
camel.vault.cyberark.url = https://conjur.example.com
camel.vault.cyberark.account = myaccount
camel.vault.cyberark.username = admin
camel.vault.cyberark.password = secretpassword|
Note
|
If you’re running the application on a Kubernetes based cloud platform, you can initialize the environment variables from a Secret or ConfigMap to enhance security. |
|
Note
|
CyberArk Conjur requires secrets (variables) to be defined in a policy file before they can be set. |
At this point you’ll be able to reference a property by using cyberark: as prefix in the {{ }} syntax.
CyberArk also supports version-specific lookups using the @ suffix.
See Vault Usage Syntax for the full syntax reference.
The only requirement is adding the camel-cyberark-vault JAR to your Camel application.
Being able to reload Camel context on a Secret Refresh, could be done by specifying the usual credentials (the same used for AWS Secret Manager Property Function).
With Environment variables:
export $CAMEL_VAULT_AWS_USE_DEFAULT_CREDENTIALS_PROVIDER=accessKey
export $CAMEL_VAULT_AWS_REGION=regionor as plain Camel main properties:
camel.vault.aws.useDefaultCredentialProvider = true
camel.vault.aws.region = regionOr by specifying accessKey/SecretKey and region, instead of using the default credentials provider chain.
To enable the automatic refresh, you’ll need additional properties to set:
camel.vault.aws.refreshEnabled=true
camel.vault.aws.refreshPeriod=60000
camel.vault.aws.secrets=Secret
camel.main.context-reload-enabled = truewhere camel.vault.aws.refreshEnabled will enable the automatic context reload, camel.vault.aws.refreshPeriod is the interval of time between two different checks for update events and camel.vault.aws.secrets is a regex representing the secrets we want to track for updates.
Note that camel.vault.aws.secrets is not mandatory: if not specified the task responsible for checking updates events will take into accounts or the properties with an aws: prefix.
The only requirement is adding the camel-aws-secrets-manager JAR to your Camel application.
Automatic Camel context reloading on Secret Refresh while using AWS Secrets Manager with EventBridge and AWS SQS Services
Another option is to use AWS EventBridge in conjunction with the AWS SQS service.
On the AWS side, the following resources need to be created:
-
an AWS CloudTrail trail
-
an AWS SQS Queue
-
an EventBridge rule of the following kind
{
"source": ["aws.secretsmanager"],
"detail-type": ["AWS API Call via CloudTrail"],
"detail": {
"eventSource": ["secretsmanager.amazonaws.com"]
}
}This rule will make the event related to AWS Secrets Manager filtered
-
You need to set the Rule target to the AWS SQS Queue for EventBridge rule
-
You need to give permission to the EventBrige rule, to write on the above SQS Queue. For doing this you’ll need to define a json file like this:
{
"Policy": "{\"Version\":\"2012-10-17\",\"Id\":\"<queue_arn>/SQSDefaultPolicy\",\"Statement\":[{\"Sid\": \"EventsToMyQueue\", \"Effect\": \"Allow\", \"Principal\": {\"Service\": \"events.amazonaws.com\"}, \"Action\": \"sqs:SendMessage\", \"Resource\": \"<queue_arn>\", \"Condition\": {\"ArnEquals\": {\"aws:SourceArn\": \"<eventbridge_rule_arn>\"}}}]}"
}Change the values for queue_arn and eventbridge_rule_arn, save the file with policy.json name and run the following command with AWS CLI
aws sqs set-queue-attributes --queue-url <queue_url> --attributes file://policy.jsonwhere queue_url is the AWS SQS Queue URL of the just created Queue.
Now you should be able to set up the configuration on the Camel side. To enable the SQS notification, add the following properties:
camel.vault.aws.refreshEnabled=true
camel.vault.aws.refreshPeriod=60000
camel.vault.aws.secrets=Secret
camel.main.context-reload-enabled = true
camel.vault.aws.useSqsNotification=true
camel.vault.aws.sqsQueueUrl=<queue_url>where queue_url is the AWS SQS Queue URL of the just created Queue.
Whenever an event of PutSecretValue for the Secret named 'Secret' will happen, a message will be enqueued in the AWS SQS Queue and consumed on the Camel side and a context reload will be triggered.
Being able to reload Camel context on a Secret Refresh, could be done by specifying the usual credentials (the same used for Google Secret Manager Property Function).
With Environment variables:
export $CAMEL_VAULT_GCP_USE_DEFAULT_INSTANCE=true
export $CAMEL_VAULT_GCP_PROJECT_ID=projectIdor as plain Camel main properties:
camel.vault.gcp.useDefaultInstance = true
camel.vault.aws.projectId = projectIdOr by specifying a path to a service account key file, instead of using the default instance.
To enable the automatic refresh you’ll need additional properties to set:
camel.vault.gcp.projectId= projectId
camel.vault.gcp.refreshEnabled=true
camel.vault.gcp.refreshPeriod=60000
camel.vault.gcp.secrets=hello*
camel.vault.gcp.subscriptionName=subscriptionName
camel.main.context-reload-enabled = truewhere camel.vault.gcp.refreshEnabled will enable the automatic context reload, camel.vault.gcp.refreshPeriod is the interval of time between two different checks for update events and camel.vault.gcp.secrets is a regex representing the secrets we want to track for updates.
Note that camel.vault.gcp.secrets is not mandatory: if not specified the task responsible for checking updates events will take into accounts or the properties with an gcp: prefix.
The camel.vault.gcp.subscriptionName is the subscription name created in relation to the Google PubSub topic associated with the tracked secrets.
This mechanism makes use of the notification system related to Google Secret Manager: through this feature, every secret could be associated with one up to ten Google Pubsub Topics. These topics will receive events related to the life cycle of the secret.
There are only two requirements:
- Adding camel-google-secret-manager JAR to your Camel application.
- Give the service account used permissions to do operation at secret management level (for example, accessing the secret payload, or being admin of secret manager service and also have permission over the Pubsub service)
Being able to reload Camel context on a Secret Refresh, could be done by specifying the usual credentials (the same used for Azure Key Vault Property Function).
With Environment variables:
export $CAMEL_VAULT_AZURE_TENANT_ID=tenantId
export $CAMEL_VAULT_AZURE_CLIENT_ID=clientId
export $CAMEL_VAULT_AZURE_CLIENT_SECRET=clientSecret
export $CAMEL_VAULT_AZURE_VAULT_NAME=vaultNameor as plain Camel main properties:
camel.vault.azure.tenantId = accessKey
camel.vault.azure.clientId = clientId
camel.vault.azure.clientSecret = clientSecret
camel.vault.azure.vaultName = vaultNameIf you want to use Azure Identity with environment variables, you can do in the following way:
export $CAMEL_VAULT_AZURE_IDENTITY_ENABLED=true
export $CAMEL_VAULT_AZURE_VAULT_NAME=vaultNameYou can also enable the usage of Azure Identity in the application.properties file such as:
camel.vault.azure.azureIdentityEnabled = true
camel.vault.azure.vaultName = vaultNameTo enable the automatic refresh, you’ll need additional properties to set:
camel.vault.azure.refreshEnabled=true
camel.vault.azure.refreshPeriod=60000
camel.vault.azure.secrets=Secret
camel.vault.azure.eventhubConnectionString=eventhub_conn_string
camel.vault.azure.blobAccountName=blob_account_name
camel.vault.azure.blobContainerName=blob_container_name
camel.vault.azure.blobAccessKey=blob_access_key
camel.main.context-reload-enabled = truewhere camel.vault.azure.refreshEnabled will enable the automatic context reload, camel.vault.azure.refreshPeriod is the interval of time between two different checks for update events and camel.vault.azure.secrets is a regex representing the secrets we want to track for updates.
where camel.vault.azure.eventhubConnectionString is the eventhub connection string to get notification from, camel.vault.azure.blobAccountName, camel.vault.azure.blobContainerName and camel.vault.azure.blobAccessKey are the Azure Storage Blob parameters for the checkpoint store needed by Azure Eventhub.
Note that camel.vault.azure.secrets is not mandatory: if not specified the task responsible for checking updates events will take into accounts or the properties with an azure: prefix.
The only requirement is adding the camel-azure-key-vault JAR to your Camel application.
Being able to reload Camel context on a Secret Refresh could be done by specifying the IBM Event Streams credentials combined with the IBM Secrets Manager one (the same used for IBM Secrets Manager Property Function).
With Environment variables:
export CAMEL_VAULT_IBM_TOKEN=token
export CAMEL_VAULT_IBM_SERVICE_URL=serviceUrl
export CAMEL_VAULT_IBM_EVENTSTREAM_BOOTSTRAP_SERVERS=bootstrapServers
export CAMEL_VAULT_IBM_EVENTSTREAM_TOPIC=topic
export CAMEL_VAULT_IBM_EVENTSTREAM_USERNAME=token
export CAMEL_VAULT_IBM_EVENTSTREAM_PASSWORD=password
export CAMEL_VAULT_IBM_EVENTSTREAM_CONSUMER_GROUP_ID=groupId
export CAMEL_VAULT_IBM_EVENTSTREAM_CONSUMER_POLL_TIMEOUT=3000or as plain Camel main properties:
camel.vault.ibm.token = token
camel.vault.ibm.serviceUrl = serviceUrl
camel.vault.ibm.eventStreamBootstrapServers = bootstrapServers
camel.vault.ibm.eventStreamTopic = topic
camel.vault.ibm.eventStreamUsername = token
camel.vault.ibm.eventStreamPassword = password
camel.vault.ibm.eventStreamGroupId = groupId
camel.vault.ibm.eventStreamConsumerPollTimeout=3000To enable the automatic refresh, you’ll need additional properties to set:
camel.vault.ibm.refreshEnabled=true
camel.vault.ibm.secrets=Secret
camel.main.context-reload-enabled = truewhere camel.vault.ibm.refreshEnabled will enable the automatic context reload and camel.vault.ibm.secrets is a regex representing the secrets we want to track for updates.
where camel.vault.ibm.eventStreamBootstrapServers is the comma-separated list of Bootstrap Servers for IBM Event Stream, camel.vault.ibm.eventStreamTopic, camel.vault.ibm.eventStreamUsername, camel.vault.ibm.eventStreamPassword, camel.vault.ibm.eventStreamGroupId and camel.vault.ibm.eventStreamConsumerPollTimeout are the IBM Event Stream parameters for connecting and consuming events related to Secrets.
Note that camel.vault.ibm.secrets is not mandatory: if not specified the task responsible for checking updates events will take into accounts or the properties with an ibm: prefix.
The only requirement is adding the camel-ibm-secrets-manager JAR to your Camel application.
Being able to reload Camel context on a Secret Refresh could be done by specifying the usual credentials (the same used for Hashicorp Vault Property Function).
With Environment variables:
export CAMEL_VAULT_HASHICORP_TOKEN=token
export CAMEL_VAULT_HASHICORP_HOST=host
export CAMEL_VAULT_HASHICORP_PORT=port
export CAMEL_VAULT_HASHICORP_SCHEME=http/httpsor as plain Camel main properties:
camel.vault.hashicorp.token = token
camel.vault.hashicorp.host = host
camel.vault.hashicorp.port = port
camel.vault.hashicorp.scheme = schemeTo enable the automatic refresh, you’ll need additional properties to set:
camel.vault.hashicorp.refreshEnabled=true
camel.vault.hashicorp.refreshPeriod=60000
camel.vault.hashicorp.secrets=database,api-keys
camel.main.context-reload-enabled = truewhere camel.vault.hashicorp.refreshEnabled will enable the automatic context reload, camel.vault.hashicorp.refreshPeriod is the interval of time between two different checks for update events (default 60000ms), and camel.vault.hashicorp.secrets is a comma-separated list of secret names (or patterns) to check for updates.
The secret names should use the following format:
-
mysecretorpath/to/secret- tracks a secret in the defaultsecretengine -
myengine:mysecretormyengine:path/to/secret- tracks a secret in themyengineengine (use:to separate engine from path) -
You can use patterns like
database*to match multiple secrets
For example, to track secrets omsecret/test in the default secret engine and myapp/credentials in a custom kv engine:
camel.vault.hashicorp.secrets=omsecret/test,kv:myapp/credentialsNote that camel.vault.hashicorp.secrets is not mandatory: if not specified the task responsible for checking updates events will take into account all the properties with a hashicorp: prefix.
The only requirement is adding the camel-hashicorp-vault JAR to your Camel application.
Unlike cloud-based secret managers (AWS, GCP, Azure) that provide event-driven notifications, Hashicorp Vault does not have a native event notification system for secret changes. Therefore, this implementation uses a polling-based approach:
-
Metadata Polling: The refresh task periodically queries the Hashicorp Vault metadata endpoint (
/v1/<engine>/metadata/<secret>) for each tracked secret. -
Version Tracking: It compares the
current_versionfield to detect changes. -
Change Detection: When a version change is detected, it triggers a Camel context reload.
-
Efficiency: Only metadata is queried (not the full secret content), making this approach lightweight.
For example, if a secret named database is updated in Vault:
-
The metadata endpoint returns
"current_version": 5 -
On the next check, if
current_versionchanges to6, a reload is triggered -
The refresh period (default 60 seconds) determines how quickly changes are detected
This polling approach works with all Hashicorp Vault deployments (on-premise, cloud, enterprise, and open-source) without requiring additional infrastructure.