Given a spring cloud config server that will be connected to Hashicorp Vault to retrieve secrets from a KV backend.

There are multiple authentication methods to connect the spring cloud config instance to Hashicorp Vault : (Token, APPROLE etc).

Even with APPROLE method, you need to provide the secret-id.

In the Spring Cloud config documentation there are several options push/pull with different use cases when only the APPROLE is provided in the application configuration.

Is there a documentation/tutorial on how to configure spring cloud config with vault in a secured manner

(I have already tested successfully the connection with a token or approle&secret-id, but I want to check if it's possible to enhance this and not provide a static token or seceret-id).