Accessing GCP secret key with /actuator/refresh endpoint in spring boot - spring-boot

I am accessing GCP secret key in Spring boot config Server / Client with 'sm://' and it's working perfectly when application started.
Now I am invoking '/actuator/refresh' endpoint.. here application failed to bind the property specified for secret key with sm:// prefix.
However, if I provide plain text, that works fine; so issue is accessing secret key from Google cloud.
Can anyone help me on the same !
Thanks

Unfortunately, it is not possible to refresh or load secrets using the actuator/refresh endpoint due to limitations with Spring (specifically the mechanism called "bootstrap loading" which is how the secrets are loaded by the .properties files.).
Details are provided here: https://github.com/spring-cloud/spring-cloud-gcp/issues/2485

Related

Pub/Sub Implementation in Spring boot

Currently in our project we already implemented firebase messaging service(FCM).We already have service account created for this. Now we need to implement a pub/sub with different google and service account.
When I try to implement this its taking default credentials.
How can we configure different service account credentials for FCM and pub/sub?
Kindly let me know how can we fix this.
default credentials
Dependencies added
Error I am facing
To explicitly provide credentials for Spring Cloud GCP Pub/Sub, use the spring.cloud.gcp.pubsub.credentials.location or spring.cloud.gcp.pubsub.credentials.encoded-key property.
Documentation available here.
The error you have is unrelated to GCP authentication, though -- the issue is that two different starters are defining a Jwt parsing bean. If you don't need to extract identity from Firebase, then it can be turned off with spring.cloud.gcp.security.firebase.enabled=false. If you do need it, and com.magilhub is under your control, follow the Spring Boot suggestion and use #Qualifier to get the specific one you need.

Best way to connect spring boot application to VAULT using LDAP authentication method

I am trying to connect my Java application to Enterprise Vault using LDAP authentication method.
spring won't provide a direct way to connect with like it provide for
TOKEN
spring.cloud.vault.uri=https:8080/vault/uri
spring.cloud.vault.namespace=admin
spring.cloud.vault.authentication=TOKEN
spring.cloud.vault.token=some-token
and APPROLE
spring.cloud.vault.uri=https:8080/vault/uri
spring.cloud.vault.namespace=admin
spring.cloud.vault.authentication=APPROLE
spring.cloud.vault.app-role.role-id=
spring.cloud.vault.app-role.secret-id=
spring.cloud.vault.app-role.role=
spring.cloud.vault.app-role.app-role-path=
Can somebody help me to connect with Enterprise Vault using LDAP method
Hi #Pramendra Raghuwanshi,
Hope this helps. https://www.vaultproject.io/docs/auth/ldap
As per this link, there are 2 options
Use Vault CLI to authenticate using a LDAP account and set the environment variable VAULT_TOKEN
Use the API, to do LDAP authentication and get the token and then set the environment variable VAULT_TOKEN
So, if you use VAULT_TOKEN variable in your Spring boot config, it should work. The authentication and setting the VAULT_TOKEN shall be a pre-requisite task before staring the Spring boot app. Something which can be automated as part of your app start up process?
Surprisingly spring cloud vault doesn't support LDAP as auth method; Even no documentation exits on why it doesn't support or constraints etc..
This standalone (https://github.com/BetterCloud/vault-java-driver) impl does support LDAP autentication but there is no community/opensource support for this.

Spring cloud vault not reloading/reflecting updates to secret value

Spring cloud vault picks up the latest secret value during application start. If the secret is updated when the application is already up and running, then it is not picked up.
I understand this is a Spring config limitation and there is a workaround with the #RefreshScope annotation and explicitly invoking the /actuator/refresh API.
Is there any other mechanism where the application can listen to secret update notifications and automate the refresh?
From the debug logs, I see that the spring cloud vault returns an updated secret with the GET call based on "min-renewal" time.
Got 'refresh' working with:
#Autowired
ContextRefresher contextRefresher;
public void refreshContext() {
contextRefresher.refresh();
}
I am still trying to understand why spring cloud vault invokes vault login and Get API every 10 seconds if the refresh is not automated.

Automatically renew AWS credentials in a Spring Boot application using Spring Cloud Vault

I'm trying to create a Spring Boot application that regularly fetch data from AWS S3.
The AWS S3 credentials are fetched from Vault using Spring Cloud Vault when the application start.
My issue is that AWS S3 credentials have a limited lifespan due to Vault policy so I have to restart my application from time to time to obtain new credentials from Vault
Is there a way to automatically restart bean using those credentials?
TL;DR
No, there is no automatism, but you can do this yourself.
The longer read
Spring Boot and Spring Cloud aren't really intended for applying continuous updates to the configuration without interruption. Spring Cloud Config ships with Refresh Scope support that allows to annotate beans with #RefreshScope and trigger a refresh of the beans that get re-initialized. This approach requires either integration with a message bus or triggering the refresh endpoint.
The other alternative, which is limited to AWS functionality, is providing an own AWSCredentialsProvider implementation that is backed by a Vault PropertySource that applies rotation to your credential. This requires you to provide a bit of code that integrates with VaultConfigurer or even directly via SecretLeaseContainer to get secret lifecycle event callbacks. See here for an integration example.
There is a ticket asking for the same question that contains background why this pattern isn't widely applicable.

Reading ~/.aws/credentials from Spring Boot Spring Cloud

I am new to AWS and Spring Cloud. I have accomplished a simple AWS Java Application where the AWS credentials are stored in ~/.aws/credentials file. It works just fine. I moved to a new project in Spring Boot and Spring Cloud. I would like to continue using the ~/.aws/credential that I have set up for the Java application. However, I have not been able to find a way to load the credentials from the credentials file. I had to move the access key and secret key to the aws-config.xml.
<aws-context:context-credentials>
<aws-context:simple-credentials access-key="${accessKey:}" secret-key="${secretKey:}"/>
<aws-context:context-resource-loader/>
When I accomplished this, the Spring Boot and Spring Cloud application worked fine. However, keeping the information in the xml file is not the safest way because I am using GitHub.
Can someone point me in the direction whereby I can pull the information from the ~/.aws/credentials file into Spring Boot /Spring Cloud using Maven?
Thank you for taking the time reading my post.
Russ
try below settings
cloud:
aws:
credentials:
instanceProfile: false
useDefaultAwsCredentialsChain: false
profileName: <name>
profilePath: ${user.home}/.aws/credentials
Instance Profile sounds like the right option!
It's a IAM-role that lives on instances, without the need to hardcode credentials in code.
Spring Cloud's Maven setup guide :)

Resources