Closed AnujaB219 closed 1 month ago
Make sure to import import: vault://
to enable database mounts. Otherwise, import: vault://db/oracle/dev
considers db/oracle/dev
a key-value mount.
The other issue is that path sec_kv/data/jks/mq/sit
doesn't match sec_kv/cls-message-router/*
nor sec_kv/application
roles. Please fix your roles respective application config.
I added
import: vault://
and set kv: enabled: true backend: sec_kv default-context: jks/mq/sit profile-separator: / application-name: data/jks/mq/sit
The ACL policy had the below : Access to Seckv : path "sec*" { capabilities = ["create", "read", "update", "delete", "list", "patch"] }
and I added : path "sec_kv/data/*" { capabilities = [ "read" ] } path "sec_kv/data/jks/mq/sit" { capabilities = [ "read" ] }
which gave me the exception - `2024-09-10T13:26:55.185+10:00 INFO 857641 --- [message-router] [main] o.s.v.c.e.LeaseAwareVaultPropertySource : Vault location [sec_kv/data/jks/mq/sit] not resolvable: Not found
2024-09-10T13:26:55.185+10:00 INFO 857641 --- [message-router] [main] o.s.v.c.e.LeaseAwareVaultPropertySource : Vault location [sec_kv/data/jks/mq] not resolvable: Not found
2024-09-10T13:26:55.185+10:00 INFO 857641 --- [message-router] [main] o.s.v.c.e.LeaseAwareVaultPropertySource : Vault location [sec_kv/jks/mq] not resolvable: Not found
2024-09-10T13:26:55.611+10:00 WARN 857641 --- [message-router] [main] s.c.a.AnnotationConfigApplicationContext : Exception encountered during context initialization - cancelling refresh attempt: org.springframework.beans.factory.BeanDefinitionStoreException: I/O failure while processing configuration class [org.springframework.cloud.vault.config.VaultHealthIndicatorConfiguration] . . Caused by: java.io.FileNotFoundException: class path resource [org/springframework/boot/actuate/autoconfigure/health/CompositeHealthContributorConfiguration.class] cannot be opened because it does not exist`
I updated :springbootVersion=3.3.3 and below to "org.springframework.cloud:spring-cloud-starter-vault-config:4.1.3", "org.springframework.cloud:spring-cloud-vault-config-databases:3.1.2",
I then get:
VaultTemplate created successfully from URIhttps://<host>:8200
2024-09-10T16:24:54.670+10:00 INFO 1439072 --- [message-router] [main] au.com.nab.service.VaultServiceAzure : Trying to read from Vault
2024-09-10T16:24:54.693+10:00 INFO 1439072 --- [message-router] [main] au.com.nab.service.VaultServiceAzure : **MessageI/O error on GET request for "https://<host>:8200/v1/sec_kv/data/jks/mq/sit":** java.security.NoSuchAlgorithmException: Error constructing implementation (algorithm: Default, provider: SunJSSE, class: sun.security.ssl.SSLContextImpl$DefaultSSLContext)
2024-09-10T16:24:54.694+10:00 INFO 1439072 --- [message-router] [main] au.com.nab.service.VaultServiceAzure : java.net.SocketException: java.security.NoSuchAlgorithmException: Error constructing implementation (algorithm: Default, provider: SunJSSE, class: sun.security.ssl.SSLContextImpl$DefaultSSLContext
I also tried removing KV config from the properties, to just test with database:
spring:
config:
activate:
on-profile: sit
import: vault://
cloud:
vault:
azure-msi:
azure-path: az/
Which leads to this:
Sep 10 17:03:48
Sep 10 17:03:48
Sep 10 17:03:48
Sep 10 17:03:48
Sep 10 17:03:48
Sep 10 17:03:48
Sep 10 17:03:48
Whereas the DB engine is at db/oracle/dev and I want to read details for static role
Issue:
The app is not able to read from Vault and fails with
CONFIG:
I have a Hashicorp vault with the below secret engines:
$vault version
Vault v1.16.2+ent (9ae30c2ae273xxxxx), built 2024-04-22T16:26:15Z
$vault secrets list
Path Type Accessor Description
db/oracle/dev/ database database_xxxx. A database secret engine
sec_kv/ kv kv_xxxxxx A Key/Value secret store
…..
Values I need to read from Spring App:
$vault kv get -mount="sec_kv" "jks/mq/sit"
======= Secret Path =======
sec_kv/data/jks/mq/sit
======= Metadata =======
Key Value
created_time 2024-08-21T06:38:48.524009746Z
custom_metadata
deletion_time n/a
destroyed false
version 960
====== Data ======
Key Value
password XXX
$vault read db/oracle/dev/static-creds/mydbuser
Key Value
last_vault_rotation 2024-08-30T12:32:35.605946627+10:00
password xxxxxxxxxxxxx
rotation_period 2160h
ttl 2040h50m14s
username mydbuser
ACL Policy for appuser:
I am using the below :
"org.springframework.vault:spring-vault-core:3.1.2", "org.springframework.cloud:spring-cloud-starter-vault-config:3.1.2", "org.springframework.cloud:spring-cloud-vault-config-databases:3.1.2",
And springboot version 3.3,0. I tried adding Revoke as mentioned in issue . But I still get the 403. Any idea please?