Reputation: 11
Forbidden errors at app initialization when using spring cloud vault
Using Spring Cloud HOXTON.SR6, with Spring boot 2.3.2
When initiating the service, i get 403 errors trying to access "/secret/application" and "/secret/application/{profile}". The "application" in those paths should be replaced by my application name.
Error:
[RequestedSecret [path='secret/application/{profile}’, mode=ROTATE]] Lease [leaseId='null', leaseDuration=PT0S, renewable=false] Status 403 Forbidden [secret/application/{profile}]: 1 error occurred: * permission denied ; nested exception is org.springframework.web.client.HttpClientErrorException$Forbidden: 403 Forbidden: [{"errors":["1 error occurred:\n\t* permission denied\n\n"]} ] org.springframework.vault.VaultException: Status 403 Forbidden [secret/application/{profile}]: 1 error occurred: * permission denied ; nested exception is org.springframework.web.client.HttpClientErrorException$Forbidden: 403 Forbidden: [{"errors":["1 error occurred:\n\t* permission denied\n\n"]} ]
The replacement works correctly and the erros are gone if i set spring.cloud.vault.generic.enabled = false. The problem is that this property is set for deprecation. Then what would be the way around it?
The errors are present with:
spring:
cloud:
vault:
authentication: approle
app-role:
role-id: <<role-id>>
secret-id: <<secret-id>>
kv:
enabled: true
backend: secret
application-name: <<application-name>>
default-context: <<application-name>>
host: <<vault-host>>
But not anymore with:
spring:
cloud:
vault:
authentication: approle
app-role:
role-id: <<role-id>>
secret-id: <<secret-id>>
kv:
enabled: true
backend: secret
application-name: <<application-name>>
default-context: <<application-name>>
generic:
enabled: false
host: <<vault-host>>
Should i be using this differently?
Upvotes: 1
Views: 3956
Answers (2)
Reputation: 29
I had kind of a similar problem, and here's what I did :
I removed bootstrap.properties (if any ... as it's deprecated), and moved all the Vault-related props into application.properties
I declared the property
spring.config.import: vault://into application.propertyI removed
spring.cloud.vault.generic.enabled(as no longer needed).
One last thing ... if you're using env. variables, you've to make sure they're really exported ... if not, use the source command (or reboot the os)
Upvotes: 1
Reputation: 386
As you said setting the generic to false solve the problem, so my recommendation is to keep that until they remove it
Upvotes: 0
Related Questions
- Spring Cloud Vault: Token (spring.cloud.vault.token) must not be empty
- Integrating Spring Cloud Config Server with vault backend giving I/O error on GET request with connection refused
- Unable to instantiate VaultConfigDataLoader
- Caused by: java.lang.IllegalArgumentException: Token (spring.cloud.vault.token) must not be empty - Hashicorp Vault
- Spring Cloud Vault With k2 v2 - How to Avoid 403 at Startup?
- Unable to initialise vault
- failed to create client: parse "http://127.0.0.1:8200": first path segment in URL cannot contain colon in Hashi-corp Vault
- getting error when trying to enable approle
- Spring Boot & Vault: incomplete context initialization issue
- Vault error while writing