Problem
I'm trying to use spring-vault in my application with dynamic secret rotation for the database.
All secret renewals and rotations are working fine until the login token expires. On token expiration all secrets are correctly rotated, but on the next renewal the following exception is thrown
org.springframework.vault.VaultException: Cannot renew lease
at org.springframework.vault.core.lease.SecretLeaseContainer.doRenewLease(SecretLeaseContainer.java:766)
at org.springframework.vault.core.lease.SecretLeaseContainer.renewAndSchedule(SecretLeaseContainer.java:644)
at org.springframework.vault.core.lease.SecretLeaseContainer.lambda$scheduleLeaseRenewal$4(SecretLeaseContainer.java:636)
at org.springframework.vault.core.lease.SecretLeaseContainer$LeaseRenewalScheduler$1.run(SecretLeaseContainer.java:937)
at org.springframework.scheduling.support.DelegatingErrorHandlingRunnable.run(DelegatingErrorHandlingRunnable.java:54)
at org.springframework.scheduling.concurrent.ReschedulingRunnable.run(ReschedulingRunnable.java:96)
at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:539)
at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
at java.base/java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:304)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
at java.base/java.lang.Thread.run(Thread.java:840)
Caused by: java.lang.NullPointerException: Cannot invoke "org.springframework.vault.core.lease.SecretLeaseContainer$LeaseRenewalScheduler.isLeaseRenewable(org.springframework.vault.core.lease.domain.Lease, org.springframework.vault.core.lease.domain.RequestedSecret)" because "renewalScheduler" is null
at org.springframework.vault.core.lease.SecretLeaseContainer.doStart(SecretLeaseContainer.java:408)
at org.springframework.vault.core.lease.SecretLeaseContainer.onLeaseExpired(SecretLeaseContainer.java:810)
at org.springframework.vault.core.lease.SecretLeaseContainer.doRenewLease(SecretLeaseContainer.java:742)
... 11 more
The void restartSecrets() method in the SecretLeaseContainer seems to cancel and clear all stored renewals on login token expiration, but the newly created LeaseRenewalScheduler used to rotate the secret is never added to the stored renewals. This seem to cause the above exception when the next rotation is attempted.
Hey,
Problem I'm trying to use spring-vault in my application with dynamic secret rotation for the database.
All secret renewals and rotations are working fine until the login token expires. On token expiration all secrets are correctly rotated, but on the next renewal the following exception is thrown
The
void restartSecrets()
method in theSecretLeaseContainer
seems to cancel and clear all stored renewals on login token expiration, but the newly created LeaseRenewalScheduler used to rotate the secret is never added to the stored renewals. This seem to cause the above exception when the next rotation is attempted.Authentication is done using APPROLE credentials