| title | description | services | documentationcenter | author | editor | ms.service | ms.topic | ms.date | ms.custom | ms.author |
|---|---|---|---|---|---|---|---|---|---|---|
Azure Spring Cloud App Configuration |
An in-depth guide on the Azure Spring Cloud App Configuration Library |
azure-app-configuration |
mrm9084 |
azure-app-configuration |
guide |
09/16/2021 |
devx-track-java |
mametcal |
The Azure Spring Cloud App Configuration Client Library loads configurations and feature flags from the Azure App Configuration service. The client library generates PropertySource abstractions, to match those already being generated by the Spring environment such as; Environment Variables, Command-line configurations, local configuration files, and so on.
To create your Azure App Configuration store, you can use:
az appconfig create --resource-group <your-resource-group> --name <name-of-your-new-store> --sku Standard
This command will create you a new empty configuration store. You can upload you configurations using the import command:
az appconfig kv import -n <name-of-your-new-store> -s file --path <location-of-your-properties-file> --format properties --prefix /application/
It will have you confirm your configurations before loading them. You can upload yaml files by changing the format to yaml. The prefix field is important as it is the default prefix loaded by the client library.
To use the feature in an application, you can build it as a Spring Boot application. The most convenient way to add the dependency is with our Spring Boot starter com.azure.spring:azure-spring-cloud-starter-appconfiguration-config. The following example pom.xml file uses Azure App Configuration:
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>{spring-boot-version}</version>
<relativePath />
</parent>
<dependencyManagement>
<dependencies>
<dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-dependencies</artifactId>
<version>{spring-cloud-version}</version>
<type>pom</type>
<scope>import</scope>
</dependency>
</dependencies>
</dependencyManagement>
<dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
<dependency>
<groupId>com.azure.spring</groupId>
<artifactId>azure-spring-cloud-starter-appconfiguration-config</artifactId>
<version>{azure-appconfiguration-version}</version>
</dependency>
</dependencies>
<build>
<plugins>
<plugin>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-maven-plugin</artifactId>
</plugin>
</plugins>
</build>A basic Spring Boot application using App Configuration:
@SpringBootApplication
@RestController
public class Application {
@RequestMapping("/")
public String home() {
return "Hello World!";
}
public static void main(String[] args) {
SpringApplication.run(Application.class, args);
}
}with bootstrap.properties containing:
spring.cloud.azure.appconfiguration.stores[0].connection-string=${CONFIG_STORE_CONNECTION_STRING}where CONFIG_STORE_CONNECTION_STRING is an Environment Variable with the connection string to your Azure App Configuration Store. You can access your connection string by running:
az appconfig credential list --name <name-of-your-store>
By default, if no configurations are set, then the configurations starting with /application/ are loaded with a default label of (No Label) unless a Spring Profile is set in which case the default label is your Spring Profile. Because the store is empty no configurations are loaded, but the Azure App Configuration Property Source is still generated.
A property source named /application/https://<name-of-your-store>.azconfig.io/ is created containing the properties of that store.The label used in the request is appended to the end of the name, if no label is set the character \0 is there, as an empty space.
The library supports the loading of one or multiple App Configuration stores. This allows for complex configuration scenarios, such as loading of configurations from multiple stores at once or having fallbacks for added resilience. In the situation where a key is duplicated across multiple stores, loading all stores will result in the highest priority, last one wins, stores configuration being loaded. Example:
spring.cloud.azure.appconfiguration.stores[0].connection-string=[first-store-connection-string]
spring.cloud.azure.appconfiguration.stores[1].connection-string=[second-store-connection-string]In the example, if both the first and second stores have the same configuration, the configuration in the second store has the highest priority, last one wins.
Configurations are loaded by their key and label. By default, the configurations that start with the key /application/ are loaded. The default label is ${spring.profiles.active}. If ${spring.profiles.active} is not set then configuration with the null label seen as (No Label) in the portal are loaded.
The configurations that are loaded can be configured by selecting different key and label filters.
spring.cloud.azure.appconfiguration.stores[0].selects[0].key-filter=[my-key]
spring.cloud.azure.appconfiguration.stores[0].selects[0].label-filter=[my-label]key-filter supports the following filters:
| Key Filter | Effect |
|---|---|
* |
Matches any key |
abc |
Matches a key named abc |
abc* |
Matches key names that start with abc |
abc,xyz |
Matches key names abc or xyz (limited to 5 CSV) |
label-filter supports the following filters:
| Label | Description |
|---|---|
* |
Matches any label, which includes \0 |
\0 |
Matches null labels, seen as (No Label) in the portal |
1.0.0 |
Matches label 1.0.0 exactly |
1.0.* |
Matches labels that start with 1.0. |
,1.0.0 |
Matches labels null or 1.0.0, limited to five CSVs |
If you are using yaml with label filters and need to start with null, then the label filter needs to be surrounded by single quotes.
spring:
cloud:
azure:
appconfiguration:
stores:
-
selects:
-
label-filter: ',1.0.0'Note
You are unable to combine * with , in filters. In that case you need to use an additional select.
By default, spring.profiles.active is set as the default label-filter for all selected configurations. This functionality can be overridden by the label-filter. The Spring Profiles can be used in the label-filter by using ${spring.profiles.active} in the label-filter.
spring.cloud.azure.appconfiguration.stores[0].selects[0].label-filter=,${spring.profiles.active}
spring.cloud.azure.appconfiguration.stores[0].selects[1].label-filter=${spring.profiles.active}_localIn the first label-filter, all configurations with null label are loaded, then all configurations matching the Spring Profiles. Spring Profiles have priority over the null configurations, because they are at the end.
In the second label-filter, the string _local is appended to the end of the Spring Profiles, though only to the last Spring Profile.
Using the configuration spring.cloud.azure.appconfiguration.enabled you can disable loading all configuration stores. With the spring.cloud.azure.appconfiguration.stores[0].enabled configuration, you can disable an individual store.
In addition to disabling all stores, stores can be configured to be disabled if they fail to load using the spring.cloud.azure.appconfiguration.stores[0].fail-fast. When fail-fast is enabled, set to true, a RuntimeException that would result in the application not starting up will instead have the store disabled with no configurations from it loaded. If a configuration store is disabled on startup it will not be checked for changes with refresh, or attempted to be loaded from if configurations are updated.
If, an error resulting in a RuntimeException happens during a refresh check or a reload of configuration the refresh attempt is ended and will be retried after the refresh-interval has passed.
The client library supports all forms of Identity supported by the Azure Identity Library. Authentication can be done through configuration for Connection Strings and Managed Identity. All other forms of Identity can be done by using the TokenCredentialProvider.
Authentication through connection string is the simplest form to setup. You can access a stores connection strings using:
az appconfig credential list --name <name-of-your-store>
The connection string can be then set to the property spring.cloud.azure.appconfiguration.stores[0].connection-string. It is highly recommended that the connection string in the local configuration file should be a placeholder value, which should map to an Environment Variable to avoid having it added to source control.
If you already don't have one, you can create a new Managed Identity using:
az identity create -g myResourceGroup -n myUserAssignedIdentity
Connecting to Azure app configuration with any authentication method other connection string requires three steps to setup.
- Adding the Identity to the resource connecting to your App Configuration store
- Adding the required information to your client application.
- Authorizing the Identity to use App Configuration.
For user assigned, the identity needs to be added to the azure resource. How the user assigned identity is added varies between resources so you will need to check the specific docs of that resource.
Configuration of the client application just needs two values to be set.
spring.cloud.azure.appconfiguration.managed-identity.client-id= <your client id>
spring.cloud.azure.appconfiguration.stores[0].endpoint= <URI of your Configuration Store>The first property tells us which of the configured User Assigned identities to use. The second is which configuration store we are connecting to. With this method, all configuration stores need to use the same User Assigned Identity.
Next, the User Assigned Identity needs to be setup in your configuration store. Setup can be done through IAM in the Azure Portal or using the cli:
az role assignment create --role "App Configuration Data Reader" --assignee <your client id> --scope /subscriptions/<your subscription>/resourceGroups/<your stores resource group>/providers/Microsoft.AppConfiguration/configurationStores/<name of your Configuration Store>
Setting up System Assigned Identity involves enabling it on the azure resource. How the identity is enabled depends on the resource, so you will need to check the documentation for that resource. Once it is enabled, you need to configure your client application to use it.
spring.cloud.azure.appconfiguration.stores[0].endpoint= <URI of your Configuration Store>You will then need to assign the System Assigned Identity to read configurations.
az role assignment create --role "App Configuration Data Reader" --assignee <your client id> --scope /subscriptions/<your subscription>/resourceGroups/<your stores resource group>/providers/Microsoft.AppConfiguration/configurationStores/<name of your Configuration Store>
To authenticate with any other method supported by the Azure Identity Library, you can use AppConfigurationCredentialProvider. AppConfigurationCredentialProvider allows you to dynamically return any TokenCredential for any given URI to connect to your Configuration stores.
@Bean
public AppConfigurationCredentialProvider appConfigurationCredentialProvider() {
return new AppConfigurationCredentialProvider() {
@Override
public TokenCredential getAppConfigCredential(String uri) {
...
return myTokenCredential;
}
};
}You will also need to configure the endpoints that you will be connecting too.
spring.cloud.azure.appconfiguration.stores[0].endpoint= <URI of your Configuration Store>Note
Only 1 authentication method can be defined per endpoint; Connection String, User Assigned Identity, Token Credential. If you need to mix and match you can have AppConfigurationCredentialProvider return null for stores that use a different method.
See Starter Readme for more details and compete documentation of all settings.