I use such example to set-up cloud-config service, with another spring application which is used vault to get some secrets.
If I using root
token everything is working correctly.
But once I create service token with policy:
path "secret/data/test*" {
capabilities = ["create", "read", "update", "delete", "list"]
}
path "secret/test*" {
capabilities = ["create", "read", "update", "delete", "list"]
}
I can validate it with
$vault token capabilities secret/test
create, delete, list, read, update
and with curl
$ curl \
--header "X-Vault-Token: $VAULT_TOKEN" \
http://<dns-name>:8200/v1/secret/data/test | jq .
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 302 100 302 0 0 2796 0 --:--:-- --:--:-- --:--:-- 2796
{
"request_id": "44b5fdcf-a13c-8e12-83f3-a5064f25257d",
"lease_id": "",
"renewable": false,
"lease_duration": 0,
"data": {
"data": {
"test-key": "test-value"
},
"metadata": {
"created_time": "2020-04-09T21:11:28.899688798Z",
"deletion_time": "",
"destroyed": false,
"version": 1
}
},
"wrap_info": null,
"warnings": null,
"auth": null
}
but once I start using this token with the application it returns
2020-04-10 13:38:43.186 DEBUG 43843 --- [nio-8888-exec-1] org.apache.http.wire: http-outgoing-0 >> “GET /v1/secret/data/test HTTP/1.1[\r][\n]”
http-outgoing-0 >> “X-Vault-Token: <TOKEN>[\r][\n]”
Response 403 FORBIDDEN
Comment From: spencergibb
Are you saying that the token is being sent correctly to vault but still results in 403?
Comment From: romankydybets
yes, once we replace service
token with root
token, everything starts working correctly.
for the service
token I just create policy and assigned it during creation.
Comment From: spencergibb
I don't understand how this is an issue with spring cloud config if it's sending the correct token to vault.
Comment From: romankydybets
in the logs of the spring-cloud-config
, I see that token, which was sent by the application.
but how spring-cloud-config
server
is sent to the vault I have no idea.
Maybe some params missed.
i open issue under samples repo but @ryanjbaxter is closed it and told me to open it here.
Comment From: spencergibb
What is this log from?
2020-04-10 13:38:43.186 DEBUG 43843 --- [nio-8888-exec-1] org.apache.http.wire: http-outgoing-0 >> “GET /v1/secret/data/test HTTP/1.1[\r][\n]”
http-outgoing-0 >> “X-Vault-Token: <TOKEN>[\r][\n]”
Response 403 FORBIDDEN
Comment From: romankydybets
from the cloud-config-server
which was run with debug
mode.
Comment From: spencergibb
What versions are you using?
Comment From: romankydybets
2.1.0.RELEASE
Comment From: spencergibb
I need a spring boot version and spring cloud release train version. 2.1.0 is ambiguous.
Comment From: romankydybets
spring-boot
- 2.1.4.RELEASE
spring-cloud
- 2.1.0.RELEASE
Comment From: spencergibb
there's no spring-cloud 2.1.0.RELEASE so I assume you mean spring-cloud-config.
Things have changed over almost a year and half (we need to update the sample). Can you update to spring-boot 2.2.6 and spring-cloud Hoxton.SR3 (spring-cloud-config 2.2.2.RELEASE) and try again.
Comment From: romankydybets
@spencergibb, unfortunately, it doesn't work.
I think maybe vault should have some additional configuration, but I don't know which.
2020-04-15 20:12:03.037 WARN 26715 --- [ main] c.c.c.ConfigServicePropertySourceLocator : Could not locate PropertySource: {“timestamp”:“2020-04-15T18:12:03.028+0000",“status”:500,“error”:“Internal Server Error”,“message”:“403 Forbidden: [{\“errors\“:[\“1 error occurred:\\n\\t* permission denied\\n\\n\“]}\n]“,”path”:“<PATH>”}
Comment From: spencergibb
Can you provide a complete, minimal, verifiable sample that reproduces the problem? It should be available as a GitHub (or similar) project or attached to this issue as a zip file.
Comment From: romankydybets
@spencergibb we find out one thing, that if I add empty secret/application/<Environment>
it starts getting data from the vault with my newly created policy.
maybe you have some ideas, what is missed under configuration?
Comment From: romankydybets
I find out one thing, that if I add empty secret/application/<Environment>
it starts getting data from the vault with my newly created policy.
and policy for this fake application
look like this
policy name - application
path "secret/application*" {
capabilities = ["read","list"]
}
path "secret/data/application*" {
capabilities = ["read", "list"]
}
and for the right application
policy name - <APP-name>
path "secret/<APP-NAME>*" {
capabilities = ["read", "list"]
}
path "secret/data/<APP-NAME>*" {
capabilities = ["read", "list"]
}
and token creation would look like this
vault token create -policy=<APP-NAME> -policy=application
and how you can use your spring-cloud-config service.
Comment From: spencergibb
closing as solved