Disable requesting secrets from paths without active profiles
See original GitHub issueIs your feature request related to a problem? Please describe. According to the reference, generic backend tries to scan available vault secrets following these rules:
/secret/{application}/{profile}
/secret/{application}
/secret/{default-context}/{profile}
/secret/{default-context}
so if I have a single secret in vault server with default application name like this:
secret/application
and if I am running the spring boot project in alpha
profile, spring cloud vault tries at least 2 requests.
Created GET request for "https://vault.server:8200/v1/secret/application/alpha"
Created GET request for "https://vault.server:8200/v1/secret/application"
I see the second trial stands for default setup just in case there’s no active spring profile. I understand this is reasonable, but for me it may sometimes become a little bit redundant. What if I don’t want to place a default secret in path secret/application
because the active profiles are always guaranteed? Still does spring cloud vault try to reach and fail with http status code 403
or 404
, as the request is forbidden or the secret is not even there.
Describe the solution you’d like I want to manually control the behavior of requesting vault secrets from various paths.
Describe alternatives you’ve considered One example I came up with is to have control with properties like:
spring.cloud.vault:
secret-without-profile: (true/false)
if false
, the scanning behavior of spring cloud vault would be:
/secret/{application}/{profile}
/secret/{default-context}/{profile}
Additional context Before asking this question, I found a conversation #179 Thanks.
Issue Analytics
- State:
- Created 4 years ago
- Reactions:4
- Comments:11 (4 by maintainers)
Top GitHub Comments
Thanks for your effort. We have VaultConfigurer and SecretBackendConfigurer in place for fine-grained configuration of config backends. The default context can be disabled by configuring it to a empty value. Everything beyond that point is too specific for a global configuration.
That being said, we’re not going to add further configuration properties at the moment but rather wait until this feature request gets at least another ten votes.
Probably, the easiest approach would be introducing
spring.cloud.vault.generic.profiles
/spring.cloud.vault.kv.profiles
defaulting tospring.profiles.active
.