Reputation: 2071
Accessing Docker Vault secrets using Spring Cloud Starter Vault Config Could Not Resolve
I am running a Docker Vault container in dev mode, and I can't read a secret located at /secret/mobsters/ called password.
Here are Spring logs.
Running vault kv get secret/mobsters returns the password key value pair. I can also access the vault server locally.
Here is how I am referencing the secret:
@Value("${password}")
String password;
@PostConstruct
private void postConstruct() {
System.out.println("My password is: " + password);
}
The Spring Cloud Vault configuration is setup using a bootstrap.yml file:
spring.application.name: mobsters
spring.cloud.vault:
host: localhost
port: 8200
scheme: http
authentication: TOKEN
token: ...
I am getting an exception with the message (full exception here):
Caused by: java.lang.IllegalArgumentException: Could not resolve placeholder 'password' in value "${password}"`
From Vault UI:
Upvotes: 2
Views: 2650
Answers (2)
Reputation: 177
It looks like there is a way to fix this.
In your bootstrap.yml, make sure that generic.enabled is false and kv.enabled is true.
spring:
...
cloud.vault:
...
kv.enabled: true
generic.enabled: false
According to this answer on GitHub:
The main difference between those two is that kv injects the data segment in the context path and unwraps nested data responses.
If you're running a [springboot] version before 2.0, then you need to implement an org.springframework.cloud.vault.config.VaultConfigurer bean that is exposed to the bootstrap context. SecretBackendConfigurer accepts a path and a PropertyTransformer that transforms properties before exposing these as PropertySource.
Upvotes: 0
Reputation: 18137
Using Spring Vault/Spring Cloud Vault with HashiCorp Vault 0.10.0 does not work as the key/value backend is mounted with versioning enabled by default. This has some significance as the versioned API has changed entirely and breaks existing client implementations. Context paths and response structure are different.
You have two options:
- Use an older Vault version (such as 0.9.5)
- Try to cope with API changes until Spring Cloud Vault finds an approach to use the new API. You need to:
- Set
spring.cloud.vault.generic.backend=secret/datain your bootstrap configuration. - Prefix property names with
data.so@Value("${hello.world}")becomes@Value("${data.hello.world}").
- Set
Upvotes: 2
Related Questions
- Integrating Spring Cloud Config Server with vault backend giving I/O error on GET request with connection refused
- Unable to instantiate VaultConfigDataLoader
- Spring Cloud and vault integration error Caused by: java.lang.ClassNotFoundException: ConfigurationBeanFactoryMetadata
- spring Vault location [secret/my-application] not resolvable: Not found
- Spring Config Server : get secrets from vault with specific path
- Vault. Spring. Unrecognized SSL message, plaintext connection/
- Spring Cloud Vault. Issue with VaultPropertySource in environments without Vault
- Spring Cloud Vault - Missing required header: X-Config-Token
- How to retrieve db credentials using Spring Cloud Vault
- "Secret id missing" error while connecting to Vault using Spring cloud vault