search

spring-cloud / spring-cloud-vault

Configuration Integration with HashiCorp Vault
http://cloud.spring.io/spring-cloud-vault/
Apache License 2.0
270 stars 151 forks source link

Config server - APPROLE authn initial token renewal. #680

Closed annagalingam closed 1 year ago

annagalingam commented 1 year ago

Describe the bug I have configured the Config Server to use Vault as backed and tried to use the authentication mechanism of APPROLE pull method. I need to renew the initial login token that has a TTL of 30 days. The token I'm using to get the role and secrete id.

I'm using spring boot 3.0.3, Java 17.

Pom.xml

              <dependency>
        <groupId>org.springframework.vault</groupId>
        <artifactId>spring-vault-core</artifactId>
    </dependency>

    <dependency>
        <groupId>org.springframework.cloud</groupId>
        <artifactId>spring-cloud-config-server</artifactId>
    </dependency>

Java config

@Override public ClientAuthentication clientAuthentication() {

   VaultToken  initialToken = VaultToken.of(getToken());
    AppRoleAuthenticationOptions options = AppRoleAuthenticationOptions.builder()
            .appRole(vaultConfig.getAppRole())
            .roleId(AppRoleAuthenticationOptions.RoleId.pull(initialToken))
            .secretId(AppRoleAuthenticationOptions.SecretId.pull(initialToken))
            .build();
    appRoleAuthentication = new AppRoleAuthentication(options, restOperations());
      return appRoleAuthentication;
}

I want to renew this initial token. Is there a way to do that? I couldn't find any documents related to that. The vault Initial token I'm generating (getToken()) and passing to pull methods.

Note: client token return by this API auth/approle/login renews automatically every 5 mins.

mp911de commented 1 year ago

We do not have a way to rotate the initialToken. Currently, a restart is the only way to achieve rotation.