spring-cloud · ryanjbaxter · Jan 14, 2026 · Jan 14, 2026 · Jan 14, 2026
diff --git a/...org/springframework/cloud/config/server/environment/vault/SpringVaultTemplateBuilder.java b/...org/springframework/cloud/config/server/environment/vault/SpringVaultTemplateBuilder.java
@@ -58,7 +58,12 @@ public VaultTemplate build(VaultEnvironmentProperties vaultProperties) {
 	}
 
 	private boolean isStaticToken(VaultEnvironmentProperties vaultProperties) {
-		return vaultProperties.getAuthentication() == null && StringUtils.hasText(vaultProperties.getToken());
+		boolean hasToken = StringUtils.hasText(vaultProperties.getToken());
+		boolean isDefaultAuth = vaultProperties.getAuthentication() == null;
+		boolean isTokenAuth = vaultProperties
+			.getAuthentication() == VaultEnvironmentProperties.AuthenticationMethod.TOKEN;
+
+		return hasToken && (isDefaultAuth || isTokenAuth);
 	}
 
 }
diff --git a/...springframework/cloud/config/server/environment/vault/SpringVaultTemplateBuilderTest.java b/...springframework/cloud/config/server/environment/vault/SpringVaultTemplateBuilderTest.java
@@ -28,6 +28,7 @@
 import org.springframework.cloud.config.server.environment.ConfigTokenProvider;
 import org.springframework.cloud.config.server.environment.VaultEnvironmentProperties;
 import org.springframework.cloud.config.server.environment.vault.authentication.AppRoleClientAuthenticationProvider;
+import org.springframework.context.ApplicationContext;
 import org.springframework.context.support.StaticApplicationContext;
 import org.springframework.http.client.SimpleClientHttpRequestFactory;
 import org.springframework.scheduling.concurrent.ThreadPoolTaskScheduler;
@@ -43,6 +44,9 @@
 import static com.github.tomakehurst.wiremock.client.WireMock.postRequestedFor;
 import static com.github.tomakehurst.wiremock.client.WireMock.urlEqualTo;
 import static com.github.tomakehurst.wiremock.client.WireMock.verify;
+import static org.assertj.core.api.Assertions.assertThatThrownBy;
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.verifyNoInteractions;
 
 /**
  * @author Kaveh Shamsi
@@ -124,6 +128,21 @@ void shouldUseAppRoleToken() {
 				""")));
 	}
 
+	@Test
+	void buildShouldUseStaticTokenWhenAuthenticationIsToken() {
+		VaultEnvironmentProperties properties = new VaultEnvironmentProperties();
+		properties.setToken("my-static-token");
+		properties.setAuthentication(VaultEnvironmentProperties.AuthenticationMethod.TOKEN);
+
+		ConfigTokenProvider defaultTokenProvider = mock(ConfigTokenProvider.class);
+		ApplicationContext mockContext = mock(ApplicationContext.class);
+
+		SpringVaultTemplateBuilder builder = new SpringVaultTemplateBuilder(defaultTokenProvider,
+				Collections.emptyList(), mockContext);
+		assertThatThrownBy(() -> builder.build(properties)).isInstanceOf(Exception.class);
+		verifyNoInteractions(defaultTokenProvider);
+	}
+
 	private static StaticApplicationContext givenApplicationContext(ConfigTokenProvider defaultTokenProvider) {
 		var context = new StaticApplicationContext();
 		context.getBeanFactory()