I am using spring-cloud-gcp-starter,spring-cloud-gcp-starter-pubsub,spring-cloud-gcp-starter-data-datastore for the autoconfiguration of my gcp dependencies.
It fetches the key from system variable:: spring.cloud.gcp.credentials.encoded-key
which I am setting in my configuration class as System.setProperty("spring.cloud.gcp.credentials.encoded-key","privatevalue");
There is a case where my key will be rotated every x days and I want to ensure that my application gives me authorization when the key rotates.
One way I have thought is to overwrite the system variable when my key rotates but how do we make sure gcp uses the latest key for authentication or will this approach work?.
I looked at the CredentialsProvider class and it seems they only have getter method and setter is handled via autoconfiguration.

You are right that CredentialsProvider bean in spring-cloud-gcp is created in autoconfiguration.
In Spring Cloud ecosystem, you can refresh configuration by using #RefreshScope. So then all configurations in this scope will get refreshed when the /refresh endpoint is hit. Read more in spring documentation here.
For rotating the keys, you can override the CredentialsProvider bean in your configuration with #RefreshScope, so that you can refresh your keys without restarting the application.
You can refer to how it is done in this sample application.


Pub/Sub Implementation in Spring boot

Currently in our project we already implemented firebase messaging service(FCM).We already have service account created for this. Now we need to implement a pub/sub with different google and service account.
When I try to implement this its taking default credentials.
How can we configure different service account credentials for FCM and pub/sub?
Kindly let me know how can we fix this.
default credentials
Dependencies added
Error I am facing
To explicitly provide credentials for Spring Cloud GCP Pub/Sub, use the spring.cloud.gcp.pubsub.credentials.location or spring.cloud.gcp.pubsub.credentials.encoded-key property.
Documentation available here.
The error you have is unrelated to GCP authentication, though -- the issue is that two different starters are defining a Jwt parsing bean. If you don't need to extract identity from Firebase, then it can be turned off with spring.cloud.gcp.security.firebase.enabled=false. If you do need it, and com.magilhub is under your control, follow the Spring Boot suggestion and use #Qualifier to get the specific one you need.

Spring cloud vault not reloading/reflecting updates to secret value

Spring cloud vault picks up the latest secret value during application start. If the secret is updated when the application is already up and running, then it is not picked up.
I understand this is a Spring config limitation and there is a workaround with the #RefreshScope annotation and explicitly invoking the /actuator/refresh API.
Is there any other mechanism where the application can listen to secret update notifications and automate the refresh?
From the debug logs, I see that the spring cloud vault returns an updated secret with the GET call based on "min-renewal" time.
Got 'refresh' working with:
ContextRefresher contextRefresher;
public void refreshContext() {
I am still trying to understand why spring cloud vault invokes vault login and Get API every 10 seconds if the refresh is not automated.

Avoid resetting HikariCP datasource connection pool on property change/refresh

I am using spring boot 2 with PCF config server to use centrallized config. My microservice is basic crud rest service. What I noticed is that whenever a property is being changed and http post is being made on "actuator/refresh" endpoint, spring boot 2 drops all connection including active ones and rebuilds the connection pool. How can I avoid this? I am also using spring-boot-starter amqp and cloud bus to notify all my service instance to refresh the properties so it is also happening for http post on "actuator/bus-refresh".
Also to clarify, I didnot change any property related to datasource config, instead I am changing application specific property, so why does spring boot refreshing datasource, I did not understood.

Automatically renew AWS credentials in a Spring Boot application using Spring Cloud Vault

I'm trying to create a Spring Boot application that regularly fetch data from AWS S3.
The AWS S3 credentials are fetched from Vault using Spring Cloud Vault when the application start.
My issue is that AWS S3 credentials have a limited lifespan due to Vault policy so I have to restart my application from time to time to obtain new credentials from Vault
Is there a way to automatically restart bean using those credentials?
No, there is no automatism, but you can do this yourself.
The longer read
Spring Boot and Spring Cloud aren't really intended for applying continuous updates to the configuration without interruption. Spring Cloud Config ships with Refresh Scope support that allows to annotate beans with #RefreshScope and trigger a refresh of the beans that get re-initialized. This approach requires either integration with a message bus or triggering the refresh endpoint.
The other alternative, which is limited to AWS functionality, is providing an own AWSCredentialsProvider implementation that is backed by a Vault PropertySource that applies rotation to your credential. This requires you to provide a bit of code that integrates with VaultConfigurer or even directly via SecretLeaseContainer to get secret lifecycle event callbacks. See here for an integration example.
There is a ticket asking for the same question that contains background why this pattern isn't widely applicable.

Spring Cloud Security JWT: Distribute Public Key using Config Server / Key Rotation

How do you manage your Private / Public Keys for signing / validating JWTs in Spring Cloud environment?
The "problem":
At the moment I generate a Key Pair. Then copy Private + Public Key to my auth-server application. And also copy the Public Key to each and every Resource Server.
When I now want to implement "Key Rotation" I have to somehow populate the new keys to every service.
The idea:
Maybe I could use the spring-cloud-config-server to store and distribute the Key Pairs?
The config server already provides database login credentials. So why not store even more sensitive information there?
If this is the way to go: How would you implement the key pair distribution with spring-cloud-config-server?
Do you have any security concerns?
How did you solve this problem? I guess there are better solutions.
Maybe there's some solution using Spring Oauth's security.oauth2.resource.jwt.keyUri property for JWKs?
First of all, I would had a gateway to hide the JWT mechanism. It will allow you to revoke tokens from the gateway. If an user know about his token, you can't revoke it without revoke the public key. It will look like this :
It's easy to implement with zuul's filters and session-scoped beans.
Secondly, has you said it in comments, you can simply create a new private key to generate new tokens. But all your resource servers must be able to read all the previously generated tokens. So you need to have a list of public key on each resource servers, and each time you receive a request, you must try to verify it with each public key. Maybe you can had a public key id (and put the id on each generated token) to avoid to do dumb look for this task.
For key distribution, use spring cloud bus and rabbit mq seems right to me.
You should consider the use of Spring Cloud Consul Config instead:
Consul provides a Key/Value Store for storing configuration and other
metadata. Spring Cloud Consul Config is an alternative to the Config
Server and Client. Configuration is loaded into the Spring Environment
during the special "bootstrap" phase. Configuration is stored in the
/config folder by default. Multiple PropertySource instances are
created based on the application’s name and the active profiles that
mimicks the Spring Cloud Config order of resolving properties.
You can POST to /refresh to update your key, or watch for changes:
The Consul Config Watch takes advantage of the ability of consul to
watch a key prefix. The Config Watch makes a blocking Consul HTTP API
call to determine if any relevant configuration data has changed for
the current application. If there is new configuration data a Refresh
Event is published.
