I want my Spring Cloud Config Server to provide database credentials to all services. I'm getting confused between Vault Key-Value Secrets Engine and Vault Database Secrets Engine. With Key-Value Secrets, I'm able to retrieve configuration properties like this.
{"name":"demo","profiles":["vault"],"label":null,"version":null,"state":null,"propertySources":[{"name":"vault:application","source":{"mykey":"testkey"}}]}
However, with Vault Database Secrets Engine, I got nothing from propertySources. Should I use Key-Value Secrets and specify database properties like this instead:
// vault server key-value secrets
vault kv put secrets/application spring.data.mongodb.username=admin
Related
I want to use this scheme. I have git repo with some config files, which contains secret props, eg. password. And I have Vault witch secrets.
I want the spring cloud server to go to the repository and take the properties, and then go through the secret properties and take their values from the vault.
Some property file in git:
endpoints:
db:
default-settings:
credentials:
login: test
password: ${passwordInVault}
Value passwordInVault stored in Vault. Before giving it to the client, I want it to be replaced with the real value from the vault.
I didn't find anything like this in the documentation. Is it possible to implement this, is there a link where you can read about it?
I'm using spring cloud AWS secrets manager support to load in configuration defined by terraform which creates the application secret defaults.
Once adding a policy statement to the services accessing the secret I run into spring not starting as it's attempting to read all kinds of secrets for profiles that do not exist in secrets manager.
How can I restrict the spring cloud secrets manager support to only read secrets I have explicitly granted access without needing to create empty secrets for every profile?
This is not possible yet unfortunately. We have pull request that enables skipping loading profiles that will likely be merged in 2.3 and we are re-thinking Secrets Manager integration for 3.0.
I have been using the Spring cloud Service connectors for Pivotal cloud foundry for a long time which gets the connection details from the VCAP_SERVICES env variable. Now we have a requirement to read these credentials from Vault . I am just curious , Can I still continue to use the Service binding approach with spring cloud connector ? I would assume we don't want to expose these credentials from vault to an VCAP_SERVICES variable which defeat the purpose of the vault. Has there been any enhancements in Spring cloud connectors to read the credentials directly from Vault rather than depending the VCAP_SERVICES env variable or should I resort back to the Spring boot's default Application Properties based approach instead of the service binding approach using cloud connectors ?
The Spring Cloud Connectors project is now in maintenance mode, in favor of the newer Java CFEnv project. However, Java CFEnv is also very specific to Cloud Foundry's VCAP_SERVICES model of exposing service bindings and won't help you if the service connection info is in Vault.
I would suggest that you fall back to the Spring Boot properties-based approach using Spring Cloud Vault or Spring Cloud Config Server's Vault integration to automate fetching the properties from Vault and making them available as Spring Boot properties.
We have a spring-boot 2 application that connects to db2 database via DAOs. The current application uses application.properties to store the credentials, like this:
spring.datasource.url=jdbc:db2://127.0.0.1:50000/bcupload
spring.datasource.username=db2user
spring.datasource.password=mysecretpa$$
spring.datasource.driver-class-name=com.ibm.db2.jcc.DB2Driver
I would like to store username and password in Hashicorp Vault and retreive it at runtime using Spring Cloud Vault facilities.
I've examined this example from Spring Guides but I'm not understanding what to do with these values I retrieve them from the Vault. How do convert them to properties that Spring Boot uses when connecting to my db2 data source?
Add the same property in vault and connect to Vault with Spring-cloud-vault Library. Have all Vault related configurations in
bootstrap.yml
Not required to convert that as a property. Above mentioned steps are enough
Instead of giving an AppRole or Static Token for Spring Cloud Config Server to access ALL secrets across ALL applications, is it possible to configure Spring Cloud Vault Config to utilize a given token on the request for the configuration?
This communication would be over 2-way SSL with the token in the headers. Not ideal to send such a token outward but seems the proper solution in this scenario.
Keep in mind this is a Spring Cloud Config Server using Git + Vault as backends in order to resolve secrets, variables, etc, into the desired configurations. This would not only be used for Spring Configurations but other files delivered to an ephemeral environment, such as an httpd.conf for Apache (bad example to shove secrets into)
Goal here is to limit access where possible and keeping it limited to the end-application requesting the configuration. Also nice to not duplicate RBAC efforts with AuthZ on Spring Config AND Vault policies.
You can configure each Spring Boot application that talks to Config Server to send its' own unique token to Config Server which is then passed through to Vault.
Vault will allow access to the requested resource based on the policies that define access to that resource and the permissions granted to the token.
Step 1: Define a policy.
cat ./rules/application-a.hcl <<EOF
path "secret/application" {
capabilities = ["read", "list"]
}
path "secret/application-a" {
capabilities = ["read", "list"]
}
EOF
Step 2: Write the policy to Vault.
vault write sys/policy/policy-application-a rules=#./rules/application-a.hcl
Step 3: Create a token using the defined policy.
vault token-create -display-name="My Application A" -policy="policy-application-a"
Step 4: Write some data to Vault
vault write secret/application-a #application-a-config.json
Step 5: Configure the Spring Boot application to use its' token.
Use the token created in Step 3 above. Set the following up in the application's bootstrap.yml file. You could also pass this through at run-time if you're running in a containerized environment.
spring:
cloud:
config:
uri: https://configserver:8888/
token: <secret token>
Spring handles the transfer of token from the client application to Config Server and then onto Vault.
For any other application, you can set the token in the header of a HTTP request.
From the Vault documentation:
https://www.vaultproject.io/intro/getting-started/apis.html
curl -X GET -H "X-Vault-Token:$VAULT_TOKEN" http://127.0.0.1:8200/v1/secret/application-a
I hope this helps you.