sczachariah
commented
1 year ago Could find some wording along the lines in HashiCorp docs -
After the current TTL is up, the token will no longer function -- it, and its associated leases, are revoked
Closed sczachariah closed 1 year ago
sczachariah
commented
1 year ago Could find some wording along the lines in HashiCorp docs -
After the current TTL is up, the token will no longer function -- it, and its associated leases, are revoked
Hello,
We have implemented database dynamic credentials using spring cloud vault bootstrap properties and utilising VaultLeaseConfig similar to in here (https://secrets-as-a-service.com/posts/hashicorp-vault/rotate-dynamic-relational-database-connection-in-spring-at-runtime/#:~:text=To%20rotate%20the%20database%20credentials,to%20use%20the%20new%20credentials) for updating the hikari properties runtime when the dynamic credentials change.
But we hit a snag every now and then when the session token expire.
So vault drops all the existing leases including database dynamic role lease, when the session token expire, irrespective of the ttl on dynamic role.
It seems SecretLeaseContainer is not aware of when the session token expire. As a result SecretLeaseExpired event is not fired and application goes into a fail state due to invalid db credentials, until the SecretLeaseContainer counts down on the ttl and fires next SecretLeaseExpiredEvent.
Related Issue: https://github.com/spring-cloud/spring-cloud-vault/issues/698