Consul Tokens from Spring Vault do not get picked up by Spring Cloud Config Consul
See original GitHub issueI’m trying to get a consul token from vault, so that spring cloud consul config can get additional config from consul.
When I use this config:
# bootstrap.yml
## Config for vault
spring.cloud.vault:
host: vault.host
port: 443
scheme: https # must be https for production
config:
lifecycle:
enabled: true
order: -10
authentication: APPROLE # Same thing happens when using token
app-role:
role-id: ******
secret-id: *******
consul:
enabled: true
role: application
fail-fast: false
## Consul config
spring.cloud.consul:
enabled: true
host: 127.0.0.1
port: 8500
config:
enabled: true
format: FILES
failFast: true
profile-separator: '-'
default-context: application
Here’s what I see on app startup:
2016-12-01 11:01:19.701 DEBUG 58221 --- [ main] o.s.c.e.PropertySourcesPropertyResolver : Could not find key 'spring.cloud.consul.token' in any property source
2016-12-01 11:01:19.701 DEBUG 58221 --- [ main] o.s.c.e.PropertySourcesPropertyResolver : Could not find key 'CONSUL_TOKEN' in any property source
2016-12-01 11:01:21.383 DEBUG 58221 --- [ main] org.apache.http.wire : http-outgoing-0 << "{"request_id":"3d26b618-1636-fa7b-2a1b-6039d3e4383f","lease_id":"consul/creds/application/570da8f4-7b23-6cf6-5956-8bcec0f9b735","renewable":true,"lease_duration":2592000,"data":{"token":"xxxxxxxxxx"},"wrap_info":null,"warnings":null,"auth":null}[\n]"
2016-12-01 11:01:21.854 DEBUG 58221 --- [ main] org.apache.http.wire : >> "GET /v1/kv/config/application.properties?token= HTTP/1.1[\r][\n]"
2016-12-01 11:01:21.878 DEBUG 58221 --- [ main] org.apache.http.wire : >> "GET /v1/kv/config/application.yaml?token= HTTP/1.1[\r][\n]"
2016-12-01 11:01:21.905 DEBUG 58221 --- [ main] org.apache.http.wire : >> "GET /v1/kv/config/application.yml?token= HTTP/1.1[\r][\n]"
2016-12-01 11:01:21.920 DEBUG 58221 --- [ main] o.s.c.e.PropertySourcesPropertyResolver : Found key 'spring.cloud.consul.token' in [bootstrapProperties] with type [String]
Note that while a vault token is obtained, Spring Cloud Consul Config does not seem to be picking it up.
Here’s the dependencies in play (With Spring boot 1.4.2.RELEASE)
[INFO] +- org.springframework.cloud:spring-cloud-consul-config:jar:1.1.2.RELEASE:compile
[INFO] +- org.springframework.cloud:spring-cloud-starter-consul-discovery:jar:1.1.2.RELEASE:compile
[INFO] | +- org.springframework.cloud:spring-cloud-starter-consul:jar:1.1.2.RELEASE:compile
[INFO] | | +- org.springframework.cloud:spring-cloud-commons:jar:1.1.6.RELEASE:compile
[INFO] | | +- org.springframework.cloud:spring-cloud-context:jar:1.1.6.RELEASE:compile
[INFO] | | +- org.springframework.cloud:spring-cloud-consul-core:jar:1.1.2.RELEASE:compile
[INFO] | +- org.springframework.cloud:spring-cloud-consul-discovery:jar:1.1.2.RELEASE:compile
[INFO] | +- org.springframework.cloud:spring-cloud-netflix-core:jar:1.2.3.RELEASE:compile
[INFO] | +- org.springframework.cloud:spring-cloud-starter-ribbon:jar:1.2.3.RELEASE:compile
[INFO] | | +- org.springframework.cloud:spring-cloud-starter:jar:1.1.6.RELEASE:compile
[INFO] | | +- org.springframework.cloud:spring-cloud-starter-archaius:jar:1.2.3.RELEASE:compile
[INFO] +- org.springframework.cloud:spring-cloud-vault-starter-config:jar:1.0.0.M1:compile
[INFO] | +- org.springframework.cloud:spring-cloud-vault-config:jar:1.0.0.M1:compile
[INFO] +- org.springframework.cloud:spring-cloud-vault-config-consul:jar:1.0.0.M1:compile# cloud dependencies
Looking at the /env
endpoint, the property is set, but apparently not in time, for consul config to pick it up.
Issue Analytics
- State:
- Created 7 years ago
- Reactions:4
- Comments:20 (8 by maintainers)
Top Results From Across the Web
Consul Tokens from Spring Vault do not get picked up by ...
Consul tokens are installed via configuration properties. Once a property is loaded, it is not reloaded anymore. Also, once a Consul client was ......
Read more >Spring Cloud Vault
The obtained token is stored in spring.cloud.consul.token so using Spring Cloud Consul can pick up the generated credentials without further configuration.
Read more >Spring Cloud Integration with HashiCorp Vault and Consul
Spring Cloud enables teams to build a variety of solutions for distributed systems, microservices and cloud native applications.
Read more >An Intro to Spring Cloud Vault - Baeldung
A brief introduction to Spring Cloud Vault, showing how to retrieve and manage credentials in Spring applications.
Read more >Newest 'spring-cloud-vault-config' Questions - Stack Overflow
I am using approle authentication type which takes in role-id and secret-id along with root token in the header to generate a client...
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
The reason why
spring.cloud.consul.token
is not picked up byConsulConfigProperties
is that both components (Spring Cloud Vault, Spring Cloud Config) providePropertySource
that are initialized first and then added to Spring’sEnvironment
.At the time of
PropertySource
initialization, we requireConsulConfigProperties
to be initialized.ConsulConfigProperties
happens with theEnvironment
without Spring Cloud Vault’sPropertySource
.You can spawn an own bootstrap configuration to provide a Consul token obtained from Vault to the
Environment
in a very early stage. It’s a workaround based on Spring Vault API, see https://gist.github.com/mp911de/17f550ffecdc9e8f22061bfdf896bbb4Make sure to place the bootstrap configuration class outside the packages that Spring Boot scans otherwise the configuration initializes twice. You also need a
META-INF/spring.factories
resource that points to the bootstrap config.We will investigate further how we could simplify such use cases as another config component may contribute properties that could be required to use another config component (i.e. store the Consul token inside Spring Cloud Config to be used with Consul).
Please note there are three years between 2016 and 2019. The arrangement remains unchanged as each component that wants to contribute a
PropertySource
for a@Bean
method requires its own application context that is prepended to the actual application context. Creating more than the additional bootstrap context is impractical. Unless we can find a different approach, we cannot do anything here. Therefore, we’re closing this ticket with won’t fix.