Config server - APPROLE authn not working

[annagalingam]

Describe the bug I have configured the Config Server to use Vault as backed and tried to use the authentication mechanism of APPROLE; It neither does any authentication nor connects the Valut.

I'm using spring boot 3.0.3, Java 17.

Sample application.yml

server: port: 8888 spring: cloud: config: server: vault: host: myvault.com port: 443 scheme: https namespace: test-name authentication: APPROLE app-role: role-id: my-role-id secret-id: my-secret-id role: app-role app-role-path: approle kv-version: 2 backend: kv profiles: active:

• vault application: name: spring-config-server

-- Am I missing any other setup?

[ryanjbaxter]

I see Spring Vault supports APPROLE but I don't see it documented in Spring Cloud Vault which is what Spring Cloud Config uses. @mp911de is it supported in Spring Cloud Vault?

[annagalingam]

@ryanjbaxter Now getting below error when get secret-id API is called. I analyzed and found that the "X-Vault-Namespace" header is not being passed in the request hence this error from the vault.

403 Forbidden: "{"errors":["1 error occurred:\n\t* permission denied\n\n"]}"

But I see https://github.com/spring-cloud/spring-cloud-config/pull/1566 PR has fixed that namespace issue. But still, I'm getting the error.

I added "spring-vault-core" dependency in my pom.

Am I missing something here?

[mp911de]

Yes, Spring Cloud Vault supports AppRole authentication. Configuring this authentication mechanism comes with a bit of complexity as there are push/pull modes associated with SecretId and RoleId.

The code is at https://github.com/spring-cloud/spring-cloud-vault/blob/c8f2168691465271652619d2c9d8d70c80554ab2/spring-cloud-vault-config/src/main/java/org/springframework/cloud/vault/config/ClientAuthenticationFactory.java#L206-L258.

You can find the reference docs for Spring Cloud Vault AppRole auth at https://docs.spring.io/spring-cloud-vault/docs/current/reference/html/#approle-authentication

[annagalingam]

@mp911de Yes followed the same document.

I'll share all my config again. Pls check and let me know if I am missing anything here.

pom.xml

application.xml

Java

Error: org.springframework.vault.authentication.VaultLoginException: Cannot get Role id using AppRole: 1 error occurred:

• permission denied

I analyzed and found that the "X-Vault-Namespace" header is not being passed in the request hence this error from the vault.

Do you think I should include something here?

Apologies for the image.

[mp911de]

AbstractVaultConfiguration doesn't configure the namespace interceptor. The easiest way to include namespace support is overriding AbstractVaultConfiguration.restTemplateBuilder(…) and add a default header through builder.defaultHeader(VaultHttpHeaders.VAULT_NAMESPACE, this.vaultProperties.getNamespace()).

Spring Cloud Vault handles this aspect out of the box, Spring Cloud Config would need to adopt to that.

[annagalingam]

@mp911de, thanks for your response. I have overridden restTemplateBuilder and passed the namespace, And its working now.

@Override
protected RestTemplateBuilder restTemplateBuilder(VaultEndpointProvider endpointProvider, ClientHttpRequestFactory requestFactory) {
    RestTemplateBuilder restTemplateBuilder = super.restTemplateBuilder(endpointProvider, requestFactory);
    restTemplateBuilder.defaultHeader(VaultConstant.NAMESPACE_HEADER,vaultConfig.getNamespace());
    return restTemplateBuilder;
}