Renewing AWS Backend credentials (or getting new ones)
See original GitHub issueHi there,
I’m trying to use spring-cloud-vault-config
with an AWS backend. It works great on Spring startup, hitting the AWS backend and giving me an initial set of credentials. But the minute it tries to renew the lease it fails. After talking with my Vault administrator, he pointed me here:
According to Vault’s “Lease, Renew and Revoke” section (https://www.vaultproject.io/docs/concepts/lease.html) it states “For example, with the AWS secret backend, the access keys will be deleted from AWS the moment a secret is revoked. This renders the access keys invalid from that point forward.”
So, I’m trying to understand what my options are. He’s giving me a TTL of only a few minutes for the S3 access for those cred’s. I’m going to need to go back and get new cred’s periodically. If I can’t get the lease renewed, what can I do? It appears that spring-cloud-vault-config
only hits that original endpoint on startup. Is there some other config or switch I can utilize that would get me new credentials? Or do I need to manually write something in Spring that hits that Vault endpoint (which would seem to defeat the purpose of this library)? Any thoughts?
Example error that I’m getting back: org.springframework.vault.client.VaultException: Cannot renew lease: Status 403 URI https://host:8200/v1/sys/renew/aws-dev/creds/S3FullAccess/bcad60d8-aad7-b01b-ee93-005eb67c4a56: permission denied
I’m using the configuration stated here: http://cloud.spring.io/spring-cloud-vault-config/spring-cloud-vault-config.html#vault.config.backends.aws
with something like this in bootstrap.properties
spring.cloud.vault.aws.enabled=true
spring.cloud.vault.aws.role=S3FullAccess
spring.cloud.vault.aws.backend=aws-dev
spring.cloud.vault.token=token
spring.cloud.vault.host=host
spring.cloud.vault.port=8200
spring.cloud.vault.scheme=https
spring.cloud.vault.connection-timeout=5000
spring.cloud.vault.read-timeout=15000
Thanks so much! I feel like I must be missing something obvious.
Issue Analytics
- State:
- Created 7 years ago
- Reactions:6
- Comments:29 (12 by maintainers)
Top GitHub Comments
The follow-up post about how to rotate expiring relational Spring Cloud Vault database credentials without downtime is available: Heavy Rotation of Relational Hashicorp Vault Database Secrets in Spring
A short TTL is something you’re looking for to renew the lease periodically, as long as your application is running. Spring Cloud Vault Config is lease-aware and renews leases by default (
spring.cloud.vault.config.lifecycle.enabled=true
) if leases are renewable. Renewing leases requires your token to be able to access/sys/renew
which is a policy setting of your token (login role).The message you get (
permission denied
) indicates that you’re not authorized to renew tokens.You don’t want to obtain new credentials all over because you would be required to propagate the new credentials to various places without actually knowing, where these credentials are really used. Obtaining new credentials creates a lot of new users and Spring Cloud Vault Config exposes credentials just to the Environment. Properties are picked up from there by configuration components and are be held in components that are not under control of Spring Cloud Vault Config.