Adrian Elder
Adrian Elder

Reputation: 2071

Accessing Docker Vault secrets using Spring Cloud Starter Vault Config Could Not Resolve

I am running a Docker Vault container in dev mode, and I can't read a secret located at /secret/mobsters/ called password.

Here are Spring logs.

Running vault kv get secret/mobsters returns the password key value pair. I can also access the vault server locally.

Here is how I am referencing the secret:

@Value("${password}")
String password;

@PostConstruct
private void postConstruct() {
    System.out.println("My password is: " + password);
}

The Spring Cloud Vault configuration is setup using a bootstrap.yml file:

spring.application.name: mobsters
spring.cloud.vault:
host: localhost
port: 8200
scheme: http
authentication: TOKEN
token: ...

I am getting an exception with the message (full exception here):

Caused by: java.lang.IllegalArgumentException: Could not resolve placeholder 'password' in value "${password}"`

From Vault UI:

enter image description here

Upvotes: 2

Views: 2646

Answers (2)

patrickjm
patrickjm

Reputation: 177

It looks like there is a way to fix this.

In your bootstrap.yml, make sure that generic.enabled is false and kv.enabled is true.

spring:
  ...
  cloud.vault:
      ...
      kv.enabled: true
      generic.enabled: false

According to this answer on GitHub:

The main difference between those two is that kv injects the data segment in the context path and unwraps nested data responses.

If you're running a [springboot] version before 2.0, then you need to implement an org.springframework.cloud.vault.config.VaultConfigurer bean that is exposed to the bootstrap context. SecretBackendConfigurer accepts a path and a PropertyTransformer that transforms properties before exposing these as PropertySource.

Upvotes: 0

mp911de
mp911de

Reputation: 18127

Using Spring Vault/Spring Cloud Vault with HashiCorp Vault 0.10.0 does not work as the key/value backend is mounted with versioning enabled by default. This has some significance as the versioned API has changed entirely and breaks existing client implementations. Context paths and response structure are different.

You have two options:

  1. Use an older Vault version (such as 0.9.5)
  2. Try to cope with API changes until Spring Cloud Vault finds an approach to use the new API. You need to:
    • Set spring.cloud.vault.generic.backend=secret/data in your bootstrap configuration.
    • Prefix property names with data. so @Value("${hello.world}") becomes @Value("${data.hello.world}").

Upvotes: 2

Related Questions