Reputation: 2201
Spring Cloud Vault With k2 v2 - How to Avoid 403 at Startup?
Problem
Does anyone know how to configure bootstrap.yml to tell Spring Cloud Vault to go to the correct path for k2 v2 and not try other paths first?
Details
I can successfully connect to my Vault, running k2 v2, but Spring Cloud will always try to connect to paths in the vault that don't exist, throwing a 403 on startup.
Status 403 Forbidden [secret/application]: permission denied; nested exception is org.springframework.web.client.HttpClientErrorException$Forbidden: 403 Forbidden
The above path, secret/application, doesn't exist because k2 v2 puts data in the path. For example: secret/data/application.
This isn't a show-stopper because Spring Cloud Vault does check other paths, including the correct one that has the data item in the path, but the fact a meaningless 403 is thrown during startup is like a splinter in my mind.
Ultimately, it does try the correct k2 v2 path
2019-03-18 12:22:46.611 INFO 77685 --- [ restartedMain] b.c.PropertySourceBootstrapConfiguration : Located property source: CompositePropertySource {name='vault', propertySources=[LeaseAwareVaultPropertySource {name='secret/data/my-app'}
My configuration
spring.cloud.vault:
kv:
enabled: true
backend: secret
profile-separator: '/'
default-context: my-app
application-name: my-app
host: localhost
port: 8200
scheme: http
authentication: TOKEN
token: my-crazy-long-token-string
Thanks for your help!
Upvotes: 4
Views: 5363
Answers (3)
Reputation: 1558
spring.cloud.vault.generic.enabled is deprecated in spring-cloud 3.0.0, but the 403 error is still there. To disable the warning (by telling spring to use the exact context), this is what I used:
spring:
config:
import: vault://
application:
name: my-application
cloud:
vault:
host: localhost
scheme: http
authentication: TOKEN
token: my-crazy-long-token-string
kv:
default-context: my-application
Other configs were set to default (such as port = 8200, backend = secret, etc.)
Upvotes: 0
Reputation: 31
In addition to the accepted answer it's important to turn off (or just remove) fail-fast option:
spring.cloud.vault:
fail-fast: false
Upvotes: 1
Reputation: 386
Add the following lines in your bootstrap.yml, this disables the generic backend
spring.cloud.vault:
generic:
enabled: false
for more information https://cloud.spring.io/spring-cloud-vault/reference/html/#vault.config.backends.generic
Upvotes: 5
Related Questions
- Hashicorp Vault cli return 403 when trying to use kv
- HashiCorp Vault Error 403 Permission denied
- Spring Cloud Vault: Token (spring.cloud.vault.token) must not be empty
- HashiCorp Vault permission denied 403 for AppRole with assigned policy kv v2
- Integrating Spring Cloud Config Server with vault backend giving I/O error on GET request with connection refused
- Forbidden errors at app initialization when using spring cloud vault
- UserPass Authentication Vault
- Vault server on Openshift - connection refused
- 403 Permission Denied when trying to read Secrets from Vault using GCP IAM auth
- Kubernetes to Vault Authentication Failure