Reputation: 11
Using Spring Cloud HOXTON.SR6, with Spring boot 2.3.2
When initiating the service, i get 403 errors trying to access "/secret/application" and "/secret/application/{profile}". The "application" in those paths should be replaced by my application name.
Error:
[RequestedSecret [path='secret/application/{profile}’, mode=ROTATE]] Lease [leaseId='null', leaseDuration=PT0S, renewable=false] Status 403 Forbidden [secret/application/{profile}]: 1 error occurred: * permission denied ; nested exception is org.springframework.web.client.HttpClientErrorException$Forbidden: 403 Forbidden: [{"errors":["1 error occurred:\n\t* permission denied\n\n"]} ] org.springframework.vault.VaultException: Status 403 Forbidden [secret/application/{profile}]: 1 error occurred: * permission denied ; nested exception is org.springframework.web.client.HttpClientErrorException$Forbidden: 403 Forbidden: [{"errors":["1 error occurred:\n\t* permission denied\n\n"]} ]
The replacement works correctly and the erros are gone if i set spring.cloud.vault.generic.enabled = false. The problem is that this property is set for deprecation. Then what would be the way around it?
The errors are present with:
spring:
cloud:
vault:
authentication: approle
app-role:
role-id: <<role-id>>
secret-id: <<secret-id>>
kv:
enabled: true
backend: secret
application-name: <<application-name>>
default-context: <<application-name>>
host: <<vault-host>>
But not anymore with:
spring:
cloud:
vault:
authentication: approle
app-role:
role-id: <<role-id>>
secret-id: <<secret-id>>
kv:
enabled: true
backend: secret
application-name: <<application-name>>
default-context: <<application-name>>
generic:
enabled: false
host: <<vault-host>>
Should i be using this differently?
Upvotes: 1
Views: 3956
Reputation: 29
I had kind of a similar problem, and here's what I did :
I removed bootstrap.properties (if any ... as it's deprecated), and moved all the Vault-related props into application.properties
I declared the property spring.config.import: vault://
into application.property
I removed spring.cloud.vault.generic.enabled
(as no longer needed).
One last thing ... if you're using env. variables, you've to make sure they're really exported ... if not, use the source command (or reboot the os)
Upvotes: 1
Reputation: 386
As you said setting the generic to false solve the problem, so my recommendation is to keep that until they remove it
Upvotes: 0