spring.cloud.vault.kv.profiles does not override the spring active profiles for use in the key-value backend

[PetrivMykola]

Describe the bug

We need to disable spring profiles and override it by spring.cloud.vault.kv.profiles. because it is causing 403 as vault policy does not allow access to spring profiles.

Current spring profiles: api-docs, dev.

Vault policy:

path "secret_kv/data/applicationA/sandbox" { capabilities = ["list", "read"] }

Spring yml file:

spring: config: import:

• vault:// cloud: vault: ssl: trust-store: ** trust-store-type: PEM host: authentication: APPROLE port: 8443 application-name: applicationA kv: backend: secret_kv default-context: applicationA profiles: sandbox app-role: role-id: ** secret-id: app-role-path: ** fail-fast: true

Spring log:

15:42:28.767 [restartedMain] ERROR org.springframework.boot.SpringApplication - Application run failed org.springframework.vault.VaultException: Status 403 Forbidden [secret_kv/data/applicationA/api-docs]: 1 error occurred:

• permission denied

; nested exception is org.springframework.web.client.HttpClientErrorException$Forbidden: 403 Forbidden: [{"errors":["1 error occurred:\n\t* permission denied\n\n"]} ]

It is trying to connect to api-docs which is spring profile and fails due to policy on vault side.

Moreover, seems like the spring.cloud.vault.kv.profiles = sandbox is completely ignored. When I fix the permission to:

path "secret_kv/data/applicationA/sandbox" { capabilities = ["list", "read"] }

path "secret_kv/data/applicationA/*" { capabilities = ["list", "read"] }

path "secret_kv/data/applicationA" { capabilities = ["list", "read"] }

Spring log :

Requesting secrets from Vault at secret_kv/applicationA/api-docs using ROTATE Vault location [secret_kv/applicationA/api-docs] not resolvable: Not found Requesting secrets from Vault at secret_kv/applicationA/dev using ROTATE Requesting secrets from Vault at secret_kv/applicationA using ROTATE Vault location [secret_kv/applicationA] not resolvable: Not found

It retrieved passwords from secret_kv/applicationA/dev and ignored sandbox.

. Not sure if this fix works https://github.com/spring-cloud/spring-cloud-vault/commit/9bec609b8d7e6a3e86a777ff54adeb74de9d8e25 " profiles overrides the active profiles for use in the key-value backend"

Our version: Manifest-Version: 1.0 Implementation-Title: Spring Cloud Vault Configuration Integration Implementation-Version: 3.0.2 Build-Jdk-Spec: 1.8 Created-By: Maven Jar Plugin 3.2.0 Implementation-Vendor: Pivotal Software, Inc.

[PetrivMykola]

VaultConfigDataLocationResolver seems overrides the profiles with spring active profiles

private static VaultKeyValueBackendProperties getKeyValueProperties(ConfigDataLocationResolverContext context, Profiles profiles) {
    VaultKeyValueBackendProperties kvProperties = (VaultKeyValueBackendProperties)context.getBinder().bindOrCreate("spring.cloud.vault.kv", VaultKeyValueBackendProperties.class);
    Binder binder = context.getBinder();
    kvProperties.setApplicationName((String)binder.bind("spring.cloud.vault.kv.application-name", String.class).orElseGet(() -> {
        return (String)binder.bind("spring.cloud.vault.application-name", String.class).orElseGet(() -> {
            return (String)binder.bind("spring.application.name", String.class).orElse("");
        });
    }));
    kvProperties.setProfiles(profiles.getActive());  <<< Here
    return kvProperties;
}