Spring Cloud Vault looking for secret backend instead of AWS backend
See original GitHub issueHey everyone,
after integrating Vault in a Golang project we also wanted to give our Java projects a try and it seemed pretty simple thanks to you project. Unfortunately it is behaving a bit weird and I don’t know why.
We are using kubernetes for authentication and the AWS secrets engine, the bootstrap.yml
is looking like this:
spring.cloud.vault:
uri: http://10.11.175.145:8200
connection-timeout: 5000
read-timeout: 15000
authentication: KUBERNETES
kubernetes:
role: generic_role
kubernetes-path: kubernetes
service-account-token-file: /var/run/secrets/kubernetes.io/serviceaccount/token
aws:
enabled: true
role: generic_role
backend: aws
access-key-property: clients.aws.accessKey
secret-key-property: clients.aws.secretKey
But what happens (according to the audit log, full log see below) is that it successfully retrieves the client token from vault and then asks for a secret I never defined: "path":"secret/application/kubernetes"
. This secret doesn’t exist and the program is failing at this point.
Is this a bug or just a wrong configuration? I’d be happy if you could help me.
2019-02-13 11:01:33,311 INFO [main] authentication.LifecycleAwareSessionManager (LifecycleAwareSessionManager.java:306) - Scheduling Token renewal
2019-02-13 11:01:33,362 WARN [main] lease.SecretLeaseEventPublisher$LoggingErrorListener (SecretLeaseEventPublisher.java:219) - [RequestedSecret [path='secret/application/kubernetes', mode=ROTATE]] Lease [leaseId='null', leaseDuration=PT0S, renewable=false] Status 403 Forbidden [secret/application/kubernetes]: 1 error occurred:
* permission denied
; nested exception is org.springframework.web.client.HttpClientErrorException$Forbidden: 403 Forbidden
org.springframework.vault.VaultException: Status 403 Forbidden [secret/application/kubernetes]: 1 error occurred:
* permission denied
{"time":"2019-02-13T10:04:01.849073011Z","type":"request","auth":{"client_token":"","accessor":"","display_name":"","policies":null,"metadata":null,"entity_id":"","token_type":"default"},"request":{"id":"88c83a2b-27f2-ae47-5420-c0c2a96afb5a","operation":"update","client_token":"","client_token_accessor":"","namespace":{"id":"root","path":""},"path":"auth/kubernetes/login","data":{"jwt":"hmac-sha256:6db10a997111eee2923040c1fd9d36eb3135e7b114d7920bbd2698417e210b7d","role":"hmac-sha256:29a0ceaebccc1694229a88a31b5ffc7c8b59d581027c933fd375e28cda555007"},"policy_override":false,"remote_address":"10.10.9.4","wrap_ttl":0,"headers":{}},"error":""}
{"time":"2019-02-13T10:04:01.883376622Z","type":"response","auth":{"client_token":"hmac-sha256:3ab28f31bf66095bf4d7091e8057683e050cacbee9d3774ae698d176b30093f8","accessor":"hmac-sha256:2067ff89abe144aaf4d9e26d3c41bd59fd85fc29427b7fe7e11f4bea6ff632c0","display_name":"kubernetes-default-search-management","policies":["default","search_management"],"token_policies":["default","search_management"],"metadata":{"role":"search_management","service_account_name":"search-management","service_account_namespace":"default","service_account_secret_name":"search-management-token-wpljq","service_account_uid":"c918c1d3-2f74-11e9-9ec9-02511e23f0b4"},"entity_id":"33f4374e-7d62-84c5-e324-0474150d96a5","token_type":"service"},"request":{"id":"88c83a2b-27f2-ae47-5420-c0c2a96afb5a","operation":"update","client_token":"","client_token_accessor":"","namespace":{"id":"root","path":""},"path":"auth/kubernetes/login","data":{"jwt":"hmac-sha256:6db10a997111eee2923040c1fd9d36eb3135e7b114d7920bbd2698417e210b7d","role":"hmac-sha256:29a0ceaebccc1694229a88a31b5ffc7c8b59d581027c933fd375e28cda555007"},"policy_override":false,"remote_address":"10.10.9.4","wrap_ttl":0,"headers":{}},"response":{"auth":{"client_token":"hmac-sha256:3ab28f31bf66095bf4d7091e8057683e050cacbee9d3774ae698d176b30093f8","accessor":"hmac-sha256:2067ff89abe144aaf4d9e26d3c41bd59fd85fc29427b7fe7e11f4bea6ff632c0","display_name":"kubernetes-default-search-management","policies":["default","search_management"],"token_policies":["default","search_management"],"metadata":{"role":"search_management","service_account_name":"search-management","service_account_namespace":"default","service_account_secret_name":"search-management-token-wpljq","service_account_uid":"c918c1d3-2f74-11e9-9ec9-02511e23f0b4"},"entity_id":"33f4374e-7d62-84c5-e324-0474150d96a5","token_type":"service"}},"error":""}
{"time":"2019-02-13T10:04:01.914676176Z","type":"request","auth":{"client_token":"hmac-sha256:3ab28f31bf66095bf4d7091e8057683e050cacbee9d3774ae698d176b30093f8","accessor":"hmac-sha256:2067ff89abe144aaf4d9e26d3c41bd59fd85fc29427b7fe7e11f4bea6ff632c0","display_name":"kubernetes-default-search-management","policies":["default","search_management"],"token_policies":["default","search_management"],"metadata":{"role":"search_management","service_account_name":"search-management","service_account_namespace":"default","service_account_secret_name":"search-management-token-wpljq","service_account_uid":"c918c1d3-2f74-11e9-9ec9-02511e23f0b4"},"entity_id":"33f4374e-7d62-84c5-e324-0474150d96a5","token_type":"service"},"request":{"id":"d71ab012-9889-14d3-efb2-825b90236765","operation":"read","client_token":"hmac-sha256:3ab28f31bf66095bf4d7091e8057683e050cacbee9d3774ae698d176b30093f8","client_token_accessor":"hmac-sha256:2067ff89abe144aaf4d9e26d3c41bd59fd85fc29427b7fe7e11f4bea6ff632c0","namespace":{"id":"root","path":""},"path":"secret/application/kubernetes","data":null,"policy_override":false,"remote_address":"10.10.9.4","wrap_ttl":0,"headers":{}},"error":"1 error occurred:\n\t* permission denied\n\n"}
{"time":"2019-02-13T10:04:01.914849736Z","type":"response","auth":{"client_token":"hmac-sha256:3ab28f31bf66095bf4d7091e8057683e050cacbee9d3774ae698d176b30093f8","accessor":"hmac-sha256:2067ff89abe144aaf4d9e26d3c41bd59fd85fc29427b7fe7e11f4bea6ff632c0","display_name":"kubernetes-default-search-management","policies":["default","search_management"],"token_policies":["default","search_management"],"metadata":{"role":"search_management","service_account_name":"search-management","service_account_namespace":"default","service_account_secret_name":"search-management-token-wpljq","service_account_uid":"c918c1d3-2f74-11e9-9ec9-02511e23f0b4"},"entity_id":"33f4374e-7d62-84c5-e324-0474150d96a5","token_type":"service"},"request":{"id":"d71ab012-9889-14d3-efb2-825b90236765","operation":"read","client_token":"hmac-sha256:3ab28f31bf66095bf4d7091e8057683e050cacbee9d3774ae698d176b30093f8","client_token_accessor":"hmac-sha256:2067ff89abe144aaf4d9e26d3c41bd59fd85fc29427b7fe7e11f4bea6ff632c0","namespace":{"id":"root","path":""},"path":"secret/application/kubernetes","data":null,"policy_override":false,"remote_address":"10.10.9.4","wrap_ttl":0,"headers":{}},"response":{"data":{"error":"hmac-sha256:0dd5d5a836649b969b86711925f4367c7bdfe63f2ac640947b7e61d8bbddcdc4"}},"error":"1 error occurred:\n\t* permission denied\n\n"}
Issue Analytics
- State:
- Created 5 years ago
- Comments:9 (5 by maintainers)
Top Results From Across the Web
4. Secret Backends - Spring Cloud
Spring Cloud Vault supports at the basic level the generic secret backend. The generic secret backend allows storage of arbitrary values as key-value...
Read more >Secure Secrets With Spring Cloud Config and Vault
Storing secrets in your code is a bad idea. Learn how to use Spring Cloud Config and HashiCorp Vault to make your app...
Read more >AWS STS with Spring Cloud Vault - HMH Engineering
Vault AWS Secret Backend. The AWS secrets engine generates AWS access credentials dynamically based on IAM policies. The AWS IAM credentials are ...
Read more >An Intro to Spring Cloud Vault - Baeldung
We use the Generic Secret backend to access unversioned secrets stored as Key-Value pairs in Vault. Assuming we already have the spring-cloud- ...
Read more >Integrating Spring Cloud Config Server with vault backend ...
I dont understand how /8200/v1/secret/data is getting concatenated to my domain uri. I have tried to hit the service via postman and pass...
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
Spring Cloud Vault has its origins in how Spring Cloud Config works. The additional backends were added over time and changing the default would impose a breaking change.
Spring Cloud Vault enables by default the generic secret backend to fetch configuration properties from Vault (see http://cloud.spring.io/spring-cloud-vault/single/spring-cloud-vault.html#vault.config.backends).
You can disable this behavior through configuration: