Forbidden error accessing "/secret/application/<<profile>>"

[Pedro-Fernandes]

Describe the bug Using Spring Cloud HOXTON.SR6, with Spring boot 2.3.2 When initiating the service, i get 403 errors trying to access "/secret/application" and "/secret/application/{profile}". The "application" in those paths should be replaced by my application name. Error: `[RequestedSecret [path='secret/application/{profile}’, mode=ROTATE]] Lease [leaseId='null', leaseDuration=PT0S, renewable=false] Status 403 Forbidden [secret/application/{profile}]: 1 error occurred:

• permission denied ; nested exception is org.springframework.web.client.HttpClientErrorException$Forbidden: 403 Forbidden: [{"errors":["1 error occurred:\n\t* permission denied\n\n"]} ] org.springframework.vault.VaultException: Status 403 Forbidden [secret/application/{profile}]: 1 error occurred:
• permission denied ; nested exception is org.springframework.web.client.HttpClientErrorException$Forbidden: 403 Forbidden: [{"errors":["1 error occurred:\n\t* permission denied\n\n"]} ]`

The replacement works correctly and the erros are gone if i set spring.cloud.vault.generic.enabled = false. The problem is that this property is set for deprecation. Then what would be the way around it?

Sample Not working with the following bootstrap:

spring:
    cloud:
        vault:
            authentication: approle
            app-role:
                role-id: <<role-id>>
                secret-id: <<secret-id>>
            kv:
                enabled: true
                backend: secret
                application-name: <<application-name>>
                default-context: <<application-name>>
            host: <<vault-host>>

works with:

spring:
    cloud:
        vault:
            authentication: approle
            app-role:
                role-id: <<role-id>>
                secret-id: <<secret-id>>
            kv:
                enabled: true
                backend: secret
                application-name: <<application-name>>
                default-context: <<application-name>>
            generic:
                enabled: false
            host: <<vault-host>>

[mp911de]

Thanks for the report. So basically, the {profile} is not being replaced properly. We need to investigate why this is.

[Pedro-Fernandes]

Actually the {profile} is correct, i just replaced its name in the description text. Say i was using a dev profile, the application would try to read 'secret/application/dev' And the expected behaviour would be 'secret/my-application-name/dev'

Thank you for looking into it.

[mp911de]

I wasn't able to reproduce the issue. The mechanism that computes the paths hasn't changed. Feel free to provide a minimal sample that is able to demonstrate the problem.

[Pedro-Fernandes]

Please check this small project that reproduces the issue. Instructions to setup vault are on readme

[darinhoward]

I've ran into this issue as well @Pedro-Fernandes - did you find a resolution ?

[Pedro-Fernandes]

Hey @darinhoward, no solution afaik.

[mp911de]

The vault ACL policies cause the "permission denied" response. Please configure your Vault ACL policy correctly, see https://learn.hashicorp.com/tutorials/vault/policies for reference. The Vault reference documentation contains ACL methods and paths.

[tuansoibk]

Hi @mp911de , I'm not sure commenting here is still valid, please advice. Anyway, I'm still facing the same error as mentioned in this issue. The application was trying to read from secret/application, and it failed to do so, then it read from secret/my-application-name and succeeded --> there is a bunch of exception stacktraces in the application logs even though the application started successfully and I'm looking for a way to get rid of that. I didn't get your last comment, I have configured a read-enabled policy for secret/my-application-name, did you imply that I should have configured the same policy for the path secret/application?

[tuansoibk]

Nvm, I've just found it: setting spring.cloud.vault.kv.default-context=my-application-name should do the job. Thanks for the reference document.