Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Disable requesting secrets from paths without active profiles

See original GitHub issue

Is your feature request related to a problem? Please describe. According to the reference, generic backend tries to scan available vault secrets following these rules:

/secret/{application}/{profile}
/secret/{application}
/secret/{default-context}/{profile}
/secret/{default-context}

so if I have a single secret in vault server with default application name like this:

secret/application

and if I am running the spring boot project in alpha profile, spring cloud vault tries at least 2 requests.

Created GET request for "https://vault.server:8200/v1/secret/application/alpha"
Created GET request for "https://vault.server:8200/v1/secret/application"

I see the second trial stands for default setup just in case there’s no active spring profile. I understand this is reasonable, but for me it may sometimes become a little bit redundant. What if I don’t want to place a default secret in path secret/application because the active profiles are always guaranteed? Still does spring cloud vault try to reach and fail with http status code 403 or 404, as the request is forbidden or the secret is not even there.

Describe the solution you’d like I want to manually control the behavior of requesting vault secrets from various paths.

Describe alternatives you’ve considered One example I came up with is to have control with properties like:

spring.cloud.vault:
    secret-without-profile: (true/false)

if false, the scanning behavior of spring cloud vault would be:

/secret/{application}/{profile}
/secret/{default-context}/{profile}

Additional context Before asking this question, I found a conversation #179 Thanks.

Issue Analytics

State:
Created 4 years ago
Reactions:4
Comments:11 (4 by maintainers)

Top GitHub Comments

6reactions

mp911decommented, Feb 6, 2020

Thanks for your effort. We have VaultConfigurer and SecretBackendConfigurer in place for fine-grained configuration of config backends. The default context can be disabled by configuring it to a empty value. Everything beyond that point is too specific for a global configuration.

That being said, we’re not going to add further configuration properties at the moment but rather wait until this feature request gets at least another ten votes.

3reactions

mp911decommented, Feb 26, 2020

Probably, the easiest approach would be introducing spring.cloud.vault.generic.profiles/spring.cloud.vault.kv.profiles defaulting to spring.profiles.active.

Top Results From Across the Web

How to stop spring cloud AWS secrets manager trying to load ...

We have pull request that enables skipping loading profiles that will likely be merged in 2.3 and we are re-thinking Secrets Manager ...

vault secrets disable <PATH> - Fig.io

Disables a secrets engine at the given PATH. The argument corresponds to the enabled PATH of the engine, not the TYPE! All secrets...

Spring Cloud Vault

/secret/projectx/aws. Spring Cloud Vault adds all active profiles to the list of possible context paths. No active profiles will skip accessing contexts with...

Secure Secrets With Spring Cloud Config and Vault

All the paths above will be requested by the config server to provide configuration for the vault-demo-app when it starts with the dev...

Externalized Configuration with Spring Cloud Config and Vault

And last but not least, passing sensitive secrets via the ... property sources (according to the active profiles) are organized in a list ......