I use such example to set-up cloud-config service, with another spring application which is used vault to get some secrets.

If I using root token everything is working correctly.

But once I create service token with policy:

path "secret/data/test*" {
  capabilities = ["create", "read", "update", "delete", "list"]
}

path "secret/test*" {
  capabilities = ["create", "read", "update", "delete", "list"]
}

I can validate it with

$vault token capabilities secret/test
create, delete, list, read, update

and with curl

$ curl \
--header "X-Vault-Token: $VAULT_TOKEN" \
http://<dns-name>:8200/v1/secret/data/test | jq .
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   302  100   302    0     0   2796      0 --:--:-- --:--:-- --:--:--  2796
{
  "request_id": "44b5fdcf-a13c-8e12-83f3-a5064f25257d",
  "lease_id": "",
  "renewable": false,
  "lease_duration": 0,
  "data": {
    "data": {
      "test-key": "test-value"
    },
    "metadata": {
      "created_time": "2020-04-09T21:11:28.899688798Z",
      "deletion_time": "",
      "destroyed": false,
      "version": 1
    }
  },
  "wrap_info": null,
  "warnings": null,
  "auth": null
}

but once I start using this token with the application it returns

2020-04-10 13:38:43.186 DEBUG 43843 --- [nio-8888-exec-1] org.apache.http.wire: http-outgoing-0 >> “GET /v1/secret/data/test HTTP/1.1[\r][\n]”
http-outgoing-0 >> “X-Vault-Token: <TOKEN>[\r][\n]”
Response 403 FORBIDDEN

Comment From: spencergibb

Are you saying that the token is being sent correctly to vault but still results in 403?

Comment From: romankydybets

yes, once we replace service token with root token, everything starts working correctly. for the service token I just create policy and assigned it during creation.

Comment From: spencergibb

I don't understand how this is an issue with spring cloud config if it's sending the correct token to vault.

Comment From: romankydybets

in the logs of the spring-cloud-config, I see that token, which was sent by the application. but how spring-cloud-config server is sent to the vault I have no idea. Maybe some params missed. i open issue under samples repo but @ryanjbaxter is closed it and told me to open it here.

Comment From: spencergibb

What is this log from?

2020-04-10 13:38:43.186 DEBUG 43843 --- [nio-8888-exec-1] org.apache.http.wire: http-outgoing-0 >> “GET /v1/secret/data/test HTTP/1.1[\r][\n]”
http-outgoing-0 >> “X-Vault-Token: <TOKEN>[\r][\n]”
Response 403 FORBIDDEN

Comment From: romankydybets

from the cloud-config-server which was run with debug mode.

Comment From: spencergibb

What versions are you using?

Comment From: romankydybets

2.1.0.RELEASE

Comment From: spencergibb

I need a spring boot version and spring cloud release train version. 2.1.0 is ambiguous.

Comment From: romankydybets

spring-boot - 2.1.4.RELEASE spring-cloud - 2.1.0.RELEASE

Comment From: spencergibb

there's no spring-cloud 2.1.0.RELEASE so I assume you mean spring-cloud-config.

Things have changed over almost a year and half (we need to update the sample). Can you update to spring-boot 2.2.6 and spring-cloud Hoxton.SR3 (spring-cloud-config 2.2.2.RELEASE) and try again.

Comment From: romankydybets

@spencergibb, unfortunately, it doesn't work. I think maybe vault should have some additional configuration, but I don't know which. 2020-04-15 20:12:03.037 WARN 26715 --- [ main] c.c.c.ConfigServicePropertySourceLocator : Could not locate PropertySource: {“timestamp”:“2020-04-15T18:12:03.028+0000",“status”:500,“error”:“Internal Server Error”,“message”:“403 Forbidden: [{\“errors\“:[\“1 error occurred:\\n\\t* permission denied\\n\\n\“]}\n]“,”path”:“<PATH>”}

Comment From: spencergibb

Can you provide a complete, minimal, verifiable sample that reproduces the problem? It should be available as a GitHub (or similar) project or attached to this issue as a zip file.

Comment From: romankydybets

@spencergibb we find out one thing, that if I add empty secret/application/<Environment> it starts getting data from the vault with my newly created policy. maybe you have some ideas, what is missed under configuration?

Comment From: romankydybets

I find out one thing, that if I add empty secret/application/<Environment> it starts getting data from the vault with my newly created policy. and policy for this fake application look like this

policy name - application

path "secret/application*" {
  capabilities = ["read","list"]
}

path "secret/data/application*" {
  capabilities = ["read", "list"]
}

and for the right application policy name - <APP-name>

path "secret/<APP-NAME>*" {
  capabilities = ["read", "list"]
}

path "secret/data/<APP-NAME>*" {
  capabilities = ["read", "list"]
}

and token creation would look like this

vault token create -policy=<APP-NAME> -policy=application

and how you can use your spring-cloud-config service.

Comment From: spencergibb

closing as solved