search

spring-cloud / spring-cloud-vault

Configuration Integration with HashiCorp Vault
http://cloud.spring.io/spring-cloud-vault/
Apache License 2.0
272 stars 151 forks source link

Unable to override Vault configuration in profile specific file #626

Open michalkrajcovic opened 2 years ago

michalkrajcovic commented 2 years ago

I’m unable to override Vault configuration in profile specific file in spring-cloud-starter-vault-config 3+ and spring-boot 2.4+

In spring-cloud-starter-vault-config 2+ and spring-boot 2.3.x it was possible to override configuration in profile specific file.

bootstrap.yml

spring:
 cloud:
   vault:
     uri: ${VAULT_URI}
     authentication: AWS_IAM

bootstrap-dev.yaml

spring:
 cloud:
   vault:
     authentication: TOKEN
     token: ${VAULT_TOKEN}

When application is run with this ^^ configuration and with spring.profiles.active=dev, then the authentication method is TOKEN instead of AWS_IAM. This is no longer possible in spring-boot 2.4+ and spring-cloud 2020.0.+

application.yaml

spring:
  config:
    import: "vault:"
  cloud:
    vault:
      uri: ${VAULT_URI}
      authentication: AWS_IAM

application-dev.yaml

spring:
  cloud:
    vault:
      authentication: TOKEN
      token: ${VAULT_TOKEN}

When application is run with this ^^ configuration and with spring.profiles.active=dev, then the expectation is thrown org.springframework.vault.authentication.VaultLoginException: Cannot login using AWS-IAM: missing client token;

However the profile is taken into account when application.yaml is created as multi-document yaml file, such as

application.yaml

spring:
  config:
    import: "vault:"
  cloud:
    vault:
      uri: ${VAULT_URI}
      authentication: AWS_IAM
---
spring:
 config:
   activate:
     on-profile: "dev"
   import: "vault:"
 cloud:
   vault:
     authentication: TOKEN
     token: ${VAULT_TOKEN}

When application is run with this ^^ configuration and with spring.profiles.active=dev, then the authentication method is TOKEN instead of AWS_IAM.

Another issue is that I’m not able to disable Vault neither in profile specific file nor in multi-document yaml.

application-dev.yaml

spring:
 application:
   name: demo
 config:
   import: "optional:vault:"
 cloud:
   vault:
     enabled: false

When application is run with this ^^ configuration and with spring.profiles.active=dev, then the expectation is thrown org.springframework.vault.authentication.VaultLoginException: Cannot login using AWS-IAM: missing client token;

application.yaml

spring:
  config:
    import: "vault:"
  cloud:
    vault:
      uri: ${VAULT_URI}
      authentication: AWS_IAM
---
spring:
 config:
   activate:
     on-profile: "dev"
   import: "optional:vault:"
 cloud:
   vault:
     enabled: false

When application is run with this ^^ configuration and with spring.profiles.active=dev, then the app fails with error Config data location 'vault:' does not exist

Sample This https://github.com/michalkrajcovic/spring-cloud-vault-demo is a simple app to demonstrate the functionality. More info can be found in the README.md

nkvaratskhelia commented 2 years ago

Still waiting for a fix for this: https://github.com/spring-cloud/spring-cloud-vault/issues/571

rohithkk commented 11 months ago

This issue still persists with spring-cloud-starter-vault-config 3.1+ and springboot 2.7+.

androschen commented 4 months ago

i still get this issue in spring-cloud-starter-vault-config at spring-cloud-dependencies 2022.0.5