Pedro
Pedro

Reputation: 11

Forbidden errors at app initialization when using spring cloud vault

Using Spring Cloud HOXTON.SR6, with Spring boot 2.3.2

When initiating the service, i get 403 errors trying to access "/secret/application" and "/secret/application/{profile}". The "application" in those paths should be replaced by my application name.

Error:

[RequestedSecret [path='secret/application/{profile}’, mode=ROTATE]] Lease [leaseId='null', leaseDuration=PT0S, renewable=false] Status 403 Forbidden [secret/application/{profile}]: 1 error occurred: * permission denied ; nested exception is org.springframework.web.client.HttpClientErrorException$Forbidden: 403 Forbidden: [{"errors":["1 error occurred:\n\t* permission denied\n\n"]} ] org.springframework.vault.VaultException: Status 403 Forbidden [secret/application/{profile}]: 1 error occurred: * permission denied ; nested exception is org.springframework.web.client.HttpClientErrorException$Forbidden: 403 Forbidden: [{"errors":["1 error occurred:\n\t* permission denied\n\n"]} ]

The replacement works correctly and the erros are gone if i set spring.cloud.vault.generic.enabled = false. The problem is that this property is set for deprecation. Then what would be the way around it?

The errors are present with:

spring:
    cloud:
        vault:
            authentication: approle
            app-role:
                role-id: <<role-id>>
                secret-id: <<secret-id>>
            kv:
                enabled: true
                backend: secret
                application-name: <<application-name>>
                default-context: <<application-name>>
            host: <<vault-host>>

But not anymore with:

spring:
    cloud:
        vault:
            authentication: approle
            app-role:
                role-id: <<role-id>>
                secret-id: <<secret-id>>
            kv:
                enabled: true
                backend: secret
                application-name: <<application-name>>
                default-context: <<application-name>>
            generic:
                enabled: false
            host: <<vault-host>>

Should i be using this differently?

Upvotes: 1

Views: 3956

Answers (2)

Stephen Mafole
Stephen Mafole

Reputation: 29

I had kind of a similar problem, and here's what I did :

  • I removed bootstrap.properties (if any ... as it's deprecated), and moved all the Vault-related props into application.properties

  • I declared the property spring.config.import: vault:// into application.property

  • I removed spring.cloud.vault.generic.enabled (as no longer needed).

One last thing ... if you're using env. variables, you've to make sure they're really exported ... if not, use the source command (or reboot the os)

Upvotes: 1

As you said setting the generic to false solve the problem, so my recommendation is to keep that until they remove it

Upvotes: 0

Related Questions