01
Secret retrieval at runtime
The Mule application reads its secrets from Vault on startup. The application configuration holds Vault paths, not credentials.
Built for MuleSoft 4 and HashiCorp Vault
Secrets and certificates, from Vault at startup
A MuleSoft 4 connector that retrieves secrets and certificates from HashiCorp Vault at application startup.
01 / Overview
Vault is a tool for securely accessing secrets. A secret is anything you want to tightly control access to, such as API keys, passwords or certificates.
The MuleSoft 4 Custom Connector is based on the Java Spring Framework. It enables both secret retrieval from remote Vault storage and certificate generation at application startup in Base64 format, so the TLS layer creation experience becomes seamless to the developer.
02 / Key features
02
Certificate generation in Base64
Certificates pulled from Vault are returned in Base64 format and handed straight to the Mule TLS context. There is no certificate file on disk.
03
Built on Java Spring Framework
Configuration follows the standard Spring property model, so per-environment overrides work the same way they do for the rest of a Mule deployment.
04
Audit log for every read
Every Vault read is recorded against the application identity, so audit reviews can answer who pulled which secret and when.
03 / Use cases
- 01
Database credentials management
The Mule application reads database passwords from Vault on startup. Rotation is a Vault operation, not a redeploy.
- 02
API keys for external services
Each downstream connector (Salesforce, NetSuite, payment providers) pulls its API key from Vault at startup.
- 03
Service-oriented architecture communication
Integrations protected by mutual TLS pull the client certificate and trust bundle from Vault. Key rolling follows the schedule the security team sets.
- 04
Detailed audit logging
Every secret access is tracked in Vault’s audit log, including which application requested it and when.
04 / Business outcomes
01
No credentials in source control
Property files reference Vault paths, not values. The repository stops carrying secrets.
02
Rotations without redeploys
Rotating a credential or a certificate is a change in Vault, not a code release on every Mule application.
03
Clear separation of duties
Security teams own Vault. Integration teams own the Mule applications. The connector is the interface between them.
05 / Technical highlights
- Platform
- MuleSoft 4 (Anypoint Studio, Runtime Fabric, CloudHub)
- Vault backends
- KV v2 and PKI
- Built on
- Java Spring Framework
- Output formats
- Plain strings and Base64-encoded certificates
Get in touchContact us
Need an accelerator we haven’t built yet?
These accelerators started as pieces of work for client projects. If your team is hitting a recurring problem on integration, identity or monitoring, get in touch. There is a good chance we have something half-built, or we can build it with you.