Closed annagalingam closed 1 year ago
I see Spring Vault supports APPROLE but I don't see it documented in Spring Cloud Vault which is what Spring Cloud Config uses. @mp911de is it supported in Spring Cloud Vault?
@ryanjbaxter Now getting below error when get secret-id API is called. I analyzed and found that the "X-Vault-Namespace" header is not being passed in the request hence this error from the vault.
403 Forbidden: "{"errors":["1 error occurred:\n\t* permission denied\n\n"]}
But I see https://github.com/spring-cloud/spring-cloud-config/pull/1566 PR has fixed that namespace issue. But still, I'm getting the error.
I added "spring-vault-core" dependency in my pom.
Am I missing something here?
Yes, Spring Cloud Vault supports AppRole authentication. Configuring this authentication mechanism comes with a bit of complexity as there are push/pull modes associated with SecretId and RoleId.
You can find the reference docs for Spring Cloud Vault AppRole auth at https://docs.spring.io/spring-cloud-vault/docs/current/reference/html/#approle-authentication
@mp911de Yes followed the same document.
I'll share all my config again. Pls check and let me know if I am missing anything here.
pom.xml
application.xml
Java
Error: org.springframework.vault.authentication.VaultLoginException: Cannot get Role id using AppRole: 1 error occurred:
I analyzed and found that the "X-Vault-Namespace" header is not being passed in the request hence this error from the vault.
Do you think I should include something here?
Apologies for the image.
AbstractVaultConfiguration
doesn't configure the namespace interceptor. The easiest way to include namespace support is overriding AbstractVaultConfiguration.restTemplateBuilder(…)
and add a default header through builder.defaultHeader(VaultHttpHeaders.VAULT_NAMESPACE, this.vaultProperties.getNamespace())
.
Spring Cloud Vault handles this aspect out of the box, Spring Cloud Config would need to adopt to that.
@mp911de, thanks for your response. I have overridden restTemplateBuilder and passed the namespace, And its working now.
@Override
protected RestTemplateBuilder restTemplateBuilder(VaultEndpointProvider endpointProvider, ClientHttpRequestFactory requestFactory) {
RestTemplateBuilder restTemplateBuilder = super.restTemplateBuilder(endpointProvider, requestFactory);
restTemplateBuilder.defaultHeader(VaultConstant.NAMESPACE_HEADER,vaultConfig.getNamespace());
return restTemplateBuilder;
}
Describe the bug I have configured the Config Server to use Vault as backed and tried to use the authentication mechanism of APPROLE; It neither does any authentication nor connects the Valut.
I'm using spring boot 3.0.3, Java 17.
Sample application.yml
-- Am I missing any other setup?