4

Problem

Does anyone know how to configure bootstrap.yml to tell Spring Cloud Vault to go to the correct path for k2 v2 and not try other paths first?

Details

I can successfully connect to my Vault, running k2 v2, but Spring Cloud will always try to connect to paths in the vault that don't exist, throwing a 403 on startup. 

Status 403 Forbidden [secret/application]: permission denied; nested exception is org.springframework.web.client.HttpClientErrorException$Forbidden: 403 Forbidden

The above path, secret/application, doesn't exist because k2 v2 puts data in the path. For example: secret/data/application.

This isn't a show-stopper because Spring Cloud Vault does check other paths, including the correct one that has the data item in the path, but the fact a meaningless 403 is thrown during startup is like a splinter in my mind.

Ultimately, it does try the correct k2 v2 path

2019-03-18 12:22:46.611  INFO 77685 --- [  restartedMain] b.c.PropertySourceBootstrapConfiguration : Located property source: CompositePropertySource {name='vault', propertySources=[LeaseAwareVaultPropertySource {name='secret/data/my-app'}

My configuration

    spring.cloud.vault:
      kv:
        enabled: true
        backend: secret
        profile-separator: '/'
        default-context: my-app
        application-name: my-app
      host: localhost
      port: 8200
      scheme: http
      authentication: TOKEN
      token: my-crazy-long-token-string

Thanks for your help!

John Gordon
  • 2,181
  • 5
  • 28
  • 47

3 Answers3

5

Add the following lines in your bootstrap.yml, this disables the generic backend

spring.cloud.vault:
  generic:
    enabled: false

for more information https://cloud.spring.io/spring-cloud-vault/reference/html/#vault.config.backends.generic

Christian Daniel Avila Sanchez
  • 351
  • 4
  • 10
1

In addition to the accepted answer it's important to turn off (or just remove) fail-fast option:

spring.cloud.vault:
  fail-fast: false
Alexey Furmanov
  • 21
  • 4
0

spring.cloud.vault.generic.enabled is deprecated in spring-cloud 3.0.0, but the 403 error is still there. To disable the warning (by telling spring to use the exact context), this is what I used:

spring:
  config:
    import: vault://
  application:
    name: my-application
  cloud:
    vault:
      host: localhost
      scheme: http
      authentication: TOKEN
      token: my-crazy-long-token-string
      kv:
        default-context: my-application

Other configs were set to default (such as port = 8200, backend = secret, etc.)

maximus
  • 1,290
  • 1
  • 14
  • 18