I'd like my app to use the default application credential chain but to be able to customise the access scopes available to the role. Is there a way to do it?
Turns out Spring Cloud GCP provides an option to set scopes for the credentials. To do that you need to specify, eg: spring.cloud.gcp.credentials.scopes=DEFAULT_SCOPES,https://www.googleapis.com/auth/cloud-vision in your application.ini/yaml file or as per usual in Spring you can use environmental variables to do it as well, eg: export SPRING_CLOUD_GCP_CREDENTIALS_SCOPES=DEFAULT_SCOPES,https://www.googleapis.com/auth/drive
For more details check:
https://docs.spring.io/spring-cloud-gcp/docs/current/reference/html/#scopes
Related
Currently in our project we already implemented firebase messaging service(FCM).We already have service account created for this. Now we need to implement a pub/sub with different google and service account.
When I try to implement this its taking default credentials.
How can we configure different service account credentials for FCM and pub/sub?
Kindly let me know how can we fix this.
default credentials
Dependencies added
Error I am facing
To explicitly provide credentials for Spring Cloud GCP Pub/Sub, use the spring.cloud.gcp.pubsub.credentials.location or spring.cloud.gcp.pubsub.credentials.encoded-key property.
Documentation available here.
The error you have is unrelated to GCP authentication, though -- the issue is that two different starters are defining a Jwt parsing bean. If you don't need to extract identity from Firebase, then it can be turned off with spring.cloud.gcp.security.firebase.enabled=false. If you do need it, and com.magilhub is under your control, follow the Spring Boot suggestion and use #Qualifier to get the specific one you need.
I am trying to connect my Java application to Enterprise Vault using LDAP authentication method.
spring won't provide a direct way to connect with like it provide for
TOKEN
spring.cloud.vault.uri=https:8080/vault/uri
spring.cloud.vault.namespace=admin
spring.cloud.vault.authentication=TOKEN
spring.cloud.vault.token=some-token
and APPROLE
spring.cloud.vault.uri=https:8080/vault/uri
spring.cloud.vault.namespace=admin
spring.cloud.vault.authentication=APPROLE
spring.cloud.vault.app-role.role-id=
spring.cloud.vault.app-role.secret-id=
spring.cloud.vault.app-role.role=
spring.cloud.vault.app-role.app-role-path=
Can somebody help me to connect with Enterprise Vault using LDAP method
Hi #Pramendra Raghuwanshi,
Hope this helps. https://www.vaultproject.io/docs/auth/ldap
As per this link, there are 2 options
Use Vault CLI to authenticate using a LDAP account and set the environment variable VAULT_TOKEN
Use the API, to do LDAP authentication and get the token and then set the environment variable VAULT_TOKEN
So, if you use VAULT_TOKEN variable in your Spring boot config, it should work. The authentication and setting the VAULT_TOKEN shall be a pre-requisite task before staring the Spring boot app. Something which can be automated as part of your app start up process?
Surprisingly spring cloud vault doesn't support LDAP as auth method; Even no documentation exits on why it doesn't support or constraints etc..
This standalone (https://github.com/BetterCloud/vault-java-driver) impl does support LDAP autentication but there is no community/opensource support for this.
I am facing some challenges while configuring Spring Boot Micrometer for my application. Micrometer documents says we can configure influxdb uri, userName, password, db etc through application.yml file which is working fine for my demo application but for production ready application we are using docker-compose and we are setting all our environment variable through docker-compose. Now I am facing challenges like -
How can I force micrometer to use docker-compose environment variable influxdb uri
For influxdb password, our application stores passwords in AWS secret Manager, how micrometer will access password from secret manager?
Can I configure all this micrometer properties programmatically (Spring Bean)? How?
I'm not sure how to leverage AWS Secret Manager, but for point 1 and 3 I can offer some advice.
I'm not familiar with Influx specifically, but based on the javadoc it uses management.metrics.export.influx.username to set the password.
1- To set a application property via an environment variable, set the equivalent using the typical 'SCREAMING_SNAKE_CASE' format:
MANAGEMENT_METRICS_EXPORT_INFLUX_USERNAME=myInfluxUser
Or if you already have an environment variable that you want to reference in you application.yml file you con reference in as a property:
management.metrics.export.influx.username: ${INFLUX_USER}
3- To configure Micromerter/influx programatically create a bean on type InfluxProperties:
#Bean
public InfluxProperties influxProperties() {
return new InfluxProperties(); // Programatically set any properties here.
}
I am trying to use AWS CodeCommit repository with spring cloud config. I have managed to get it working with SSH. But I would like to use https instead of SSH. AWS suggest to use credential helper. Does anyone know how can I configure spring config cloud to use credential helper? I have looked AWS CodeCommit HTTPS access without setting up credential helper But there is no answer yet and I was wondering if there is some way in spring cloud config to do it.
I don't know if you have seen this answer yet, but this explains a little bit and the example with JGit works. AWS CodeCommit HTTPS access without setting up credential helper
Since Spring Cloud Config doesn't yet support adding custom Credential providers you need to implement your own EnvironmentRepository.
For a POC I overrode the JGitEnvironmentRepository, and had to copy almost all the code because what I really needed to override was a private method JGitEnvironmentRepository#setCredentialsProvider. That method is where I used the code from the example I provided above.
Spring Cloud Config uses an auto config to build their MultipleJGitEnvironmentRepository bean and it is annotated with #ConditionalOnMissingBean(EnvironmentRepository.class), so as long as you create a bean of that type you can override their behavior.
So with that said the SSH option is a lot cleaner until Spring expands their support for configuring custom Credential Providers or first class support for CodeCommit.
Open issue for AWS CodeCommit: https://github.com/spring-cloud/spring-cloud-config/issues/334
Duplication of a similar question and solution is posted there.
AWS CodeCommit HTTPS access without setting up credential helper
I wonder if its possible to config spring security with a ldap as authentication provider so that only some of the users in the ldap is getting access? Is it possible to config it so that I can write in the names of the users that is giving access?
Im using Spring 3.1
Yes, it is posible, see the spring documentation. Your second question is not clear for me. Do you mean that, once the user from ldap is authenticated you want to display the user name? Thas is possible.