Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Spring Cloud Vault looking for secret backend instead of AWS backend

See original GitHub issue

Hey everyone, after integrating Vault in a Golang project we also wanted to give our Java projects a try and it seemed pretty simple thanks to you project. Unfortunately it is behaving a bit weird and I don’t know why. We are using kubernetes for authentication and the AWS secrets engine, the bootstrap.yml is looking like this:

spring.cloud.vault:
    uri: http://10.11.175.145:8200
    connection-timeout: 5000
    read-timeout: 15000
    authentication: KUBERNETES
    kubernetes:
        role: generic_role
        kubernetes-path: kubernetes
        service-account-token-file: /var/run/secrets/kubernetes.io/serviceaccount/token
    aws:
        enabled: true
        role: generic_role
        backend: aws
        access-key-property: clients.aws.accessKey
        secret-key-property: clients.aws.secretKey

But what happens (according to the audit log, full log see below) is that it successfully retrieves the client token from vault and then asks for a secret I never defined: "path":"secret/application/kubernetes". This secret doesn’t exist and the program is failing at this point. Is this a bug or just a wrong configuration? I’d be happy if you could help me.

2019-02-13 11:01:33,311 INFO  [main] authentication.LifecycleAwareSessionManager (LifecycleAwareSessionManager.java:306) - Scheduling Token renewal
2019-02-13 11:01:33,362 WARN  [main] lease.SecretLeaseEventPublisher$LoggingErrorListener (SecretLeaseEventPublisher.java:219) - [RequestedSecret [path='secret/application/kubernetes', mode=ROTATE]] Lease [leaseId='null', leaseDuration=PT0S, renewable=false] Status 403 Forbidden [secret/application/kubernetes]: 1 error occurred:
	* permission denied

; nested exception is org.springframework.web.client.HttpClientErrorException$Forbidden: 403 Forbidden
org.springframework.vault.VaultException: Status 403 Forbidden [secret/application/kubernetes]: 1 error occurred:
	* permission denied

{"time":"2019-02-13T10:04:01.849073011Z","type":"request","auth":{"client_token":"","accessor":"","display_name":"","policies":null,"metadata":null,"entity_id":"","token_type":"default"},"request":{"id":"88c83a2b-27f2-ae47-5420-c0c2a96afb5a","operation":"update","client_token":"","client_token_accessor":"","namespace":{"id":"root","path":""},"path":"auth/kubernetes/login","data":{"jwt":"hmac-sha256:6db10a997111eee2923040c1fd9d36eb3135e7b114d7920bbd2698417e210b7d","role":"hmac-sha256:29a0ceaebccc1694229a88a31b5ffc7c8b59d581027c933fd375e28cda555007"},"policy_override":false,"remote_address":"10.10.9.4","wrap_ttl":0,"headers":{}},"error":""}
{"time":"2019-02-13T10:04:01.883376622Z","type":"response","auth":{"client_token":"hmac-sha256:3ab28f31bf66095bf4d7091e8057683e050cacbee9d3774ae698d176b30093f8","accessor":"hmac-sha256:2067ff89abe144aaf4d9e26d3c41bd59fd85fc29427b7fe7e11f4bea6ff632c0","display_name":"kubernetes-default-search-management","policies":["default","search_management"],"token_policies":["default","search_management"],"metadata":{"role":"search_management","service_account_name":"search-management","service_account_namespace":"default","service_account_secret_name":"search-management-token-wpljq","service_account_uid":"c918c1d3-2f74-11e9-9ec9-02511e23f0b4"},"entity_id":"33f4374e-7d62-84c5-e324-0474150d96a5","token_type":"service"},"request":{"id":"88c83a2b-27f2-ae47-5420-c0c2a96afb5a","operation":"update","client_token":"","client_token_accessor":"","namespace":{"id":"root","path":""},"path":"auth/kubernetes/login","data":{"jwt":"hmac-sha256:6db10a997111eee2923040c1fd9d36eb3135e7b114d7920bbd2698417e210b7d","role":"hmac-sha256:29a0ceaebccc1694229a88a31b5ffc7c8b59d581027c933fd375e28cda555007"},"policy_override":false,"remote_address":"10.10.9.4","wrap_ttl":0,"headers":{}},"response":{"auth":{"client_token":"hmac-sha256:3ab28f31bf66095bf4d7091e8057683e050cacbee9d3774ae698d176b30093f8","accessor":"hmac-sha256:2067ff89abe144aaf4d9e26d3c41bd59fd85fc29427b7fe7e11f4bea6ff632c0","display_name":"kubernetes-default-search-management","policies":["default","search_management"],"token_policies":["default","search_management"],"metadata":{"role":"search_management","service_account_name":"search-management","service_account_namespace":"default","service_account_secret_name":"search-management-token-wpljq","service_account_uid":"c918c1d3-2f74-11e9-9ec9-02511e23f0b4"},"entity_id":"33f4374e-7d62-84c5-e324-0474150d96a5","token_type":"service"}},"error":""}
{"time":"2019-02-13T10:04:01.914676176Z","type":"request","auth":{"client_token":"hmac-sha256:3ab28f31bf66095bf4d7091e8057683e050cacbee9d3774ae698d176b30093f8","accessor":"hmac-sha256:2067ff89abe144aaf4d9e26d3c41bd59fd85fc29427b7fe7e11f4bea6ff632c0","display_name":"kubernetes-default-search-management","policies":["default","search_management"],"token_policies":["default","search_management"],"metadata":{"role":"search_management","service_account_name":"search-management","service_account_namespace":"default","service_account_secret_name":"search-management-token-wpljq","service_account_uid":"c918c1d3-2f74-11e9-9ec9-02511e23f0b4"},"entity_id":"33f4374e-7d62-84c5-e324-0474150d96a5","token_type":"service"},"request":{"id":"d71ab012-9889-14d3-efb2-825b90236765","operation":"read","client_token":"hmac-sha256:3ab28f31bf66095bf4d7091e8057683e050cacbee9d3774ae698d176b30093f8","client_token_accessor":"hmac-sha256:2067ff89abe144aaf4d9e26d3c41bd59fd85fc29427b7fe7e11f4bea6ff632c0","namespace":{"id":"root","path":""},"path":"secret/application/kubernetes","data":null,"policy_override":false,"remote_address":"10.10.9.4","wrap_ttl":0,"headers":{}},"error":"1 error occurred:\n\t* permission denied\n\n"}
{"time":"2019-02-13T10:04:01.914849736Z","type":"response","auth":{"client_token":"hmac-sha256:3ab28f31bf66095bf4d7091e8057683e050cacbee9d3774ae698d176b30093f8","accessor":"hmac-sha256:2067ff89abe144aaf4d9e26d3c41bd59fd85fc29427b7fe7e11f4bea6ff632c0","display_name":"kubernetes-default-search-management","policies":["default","search_management"],"token_policies":["default","search_management"],"metadata":{"role":"search_management","service_account_name":"search-management","service_account_namespace":"default","service_account_secret_name":"search-management-token-wpljq","service_account_uid":"c918c1d3-2f74-11e9-9ec9-02511e23f0b4"},"entity_id":"33f4374e-7d62-84c5-e324-0474150d96a5","token_type":"service"},"request":{"id":"d71ab012-9889-14d3-efb2-825b90236765","operation":"read","client_token":"hmac-sha256:3ab28f31bf66095bf4d7091e8057683e050cacbee9d3774ae698d176b30093f8","client_token_accessor":"hmac-sha256:2067ff89abe144aaf4d9e26d3c41bd59fd85fc29427b7fe7e11f4bea6ff632c0","namespace":{"id":"root","path":""},"path":"secret/application/kubernetes","data":null,"policy_override":false,"remote_address":"10.10.9.4","wrap_ttl":0,"headers":{}},"response":{"data":{"error":"hmac-sha256:0dd5d5a836649b969b86711925f4367c7bdfe63f2ac640947b7e61d8bbddcdc4"}},"error":"1 error occurred:\n\t* permission denied\n\n"}

Issue Analytics

  • State:closed
  • Created 5 years ago
  • Comments:9 (5 by maintainers)

github_iconTop GitHub Comments

1reaction
mp911decommented, Feb 13, 2019

Spring Cloud Vault has its origins in how Spring Cloud Config works. The additional backends were added over time and changing the default would impose a breaking change.

1reaction
mp911decommented, Feb 13, 2019

Spring Cloud Vault enables by default the generic secret backend to fetch configuration properties from Vault (see http://cloud.spring.io/spring-cloud-vault/single/spring-cloud-vault.html#vault.config.backends).

You can disable this behavior through configuration:

spring.cloud.vault:
    generic:
        enabled: false
Read more comments on GitHub >

github_iconTop Results From Across the Web

4. Secret Backends - Spring Cloud
Spring Cloud Vault supports at the basic level the generic secret backend. The generic secret backend allows storage of arbitrary values as key-value...
Read more >
Secure Secrets With Spring Cloud Config and Vault
Storing secrets in your code is a bad idea. Learn how to use Spring Cloud Config and HashiCorp Vault to make your app...
Read more >
AWS STS with Spring Cloud Vault - HMH Engineering
Vault AWS Secret Backend. The AWS secrets engine generates AWS access credentials dynamically based on IAM policies. The AWS IAM credentials are ...
Read more >
An Intro to Spring Cloud Vault - Baeldung
We use the Generic Secret backend to access unversioned secrets stored as Key-Value pairs in Vault. Assuming we already have the spring-cloud- ...
Read more >
Integrating Spring Cloud Config Server with vault backend ...
I dont understand how /8200/v1/secret/data is getting concatenated to my domain uri. I have tried to hit the service via postman and pass...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

Support multiple database backends for initialization and for data access

Next page

Upgrading to Java 11 and Springboot 2 .1.0.RELEASE result in an error