search

spring-cloud / spring-cloud-vault

Configuration Integration with HashiCorp Vault
http://cloud.spring.io/spring-cloud-vault/
Apache License 2.0
272 stars 151 forks source link

Disambiguate vault keys with same name in different paths #616

Closed tbrantb closed 2 years ago

tbrantb commented 2 years ago

spring-cloud-vault allows me to pull in secrets from multiple vault paths by comma separating the paths.

  config:
    import: vault:///secret/rds/db1/dev/svc_xyz_account,vault:///secret/rds/db2/dev/svc_xyz_account

This is great, but I run into a problem when those 2 paths have the same keys "Username" and "Password". My spring boot projects sometimes have multiple data sources. Our systems team has automation that creates databases, service accounts and published service account information into vault. The structure is the same for each a format like the following:

/secret/rds/{db-name}/{env}/{service-account}

Each has a "username" and a "password" key

Examples:

/secret/rds/db1/dev/svc_xyz_account
/secret/rds/db2/dev/svc_xyz_account

When I populate 2 data sources in my application.yml file each of them point to the same key name:

    url: "jdbc:postgresql://db1.foo.bar:5432/db1?currentSchema=db1"
    username: \${username}
    password: \${password}

    url: "jdbc:postgresql://db2.foo.bar:5432/db2?currentSchema=db2"
    username: \${username}
    password: \${password}

Given these keys conflict, the values read from the last path specified in spring.config.import are taken. Is there some way I can provide more context either when using the value from the config or map a prefix of some kind to each path?

Not pretty, but something like:

  config:
    import: vault:///secret/rds/db1/dev/svc_xyz_account?prefix=db1, vault:///secret/rds/db2/dev/svc_xyz_account?prefix=db2

    url: "jdbc:postgresql://db1.foo.bar:5432/db1?currentSchema=db1"
    username: \${db1.username}
    password: \${db1.password}

    url: "jdbc:postgresql://db2.foo.bar:5432/db2?currentSchema=db2"
    username: \${db2.username}
    password: \${db2.password}

Thoughts? Ideas?

tbrantb commented 2 years ago

Actually looking through the code at where I might be able to make such a change, it appears its already in there exactly as I suggested in VaultConfigDataLocationResolver. There is a PropertyTransformer which will prefix vault keys with the value from a prefix query param. This would be nice to add to the docs somewhere.

  config:
    import: vault:///secret/rds/db1/dev/svc_xyz_account?prefix=xyz.

    url: "jdbc:postgresql://db1.foo.bar:5432/db1?currentSchema=db1"
    username: \${xyz.username}
    password: \${xyz.password}
tbrantb commented 2 years ago

Looks like this was a duplicate of https://github.com/spring-cloud/spring-cloud-vault/issues/488