I’m trying to access the credentials kept at a vault location through spring boot, I have roleID , secretID, nameSpace, vaultPath & address given to me.
The credentials are kept at a specific vault path.
I am trying to configure this in application.yml, but it fails, also trying to figure out where to specify the vault path.
application.yml:
spring:
application:
name: DIT
spring.cloud.vault:
authentication: APPROLE
scheme: https
uri: <uri>
namespace:
app-role:
role-id:
secret-id:
Related
I'm trying to read secret values using spring vault. All the properties for client application is stored in github and spring config server is used to access the properties. When I add the vault configuration to client application bootstrap.yml as below, the values are read properly.
bootstrap.yml
spring:
application:
name: client-app
cloud:
config:
uri: http://config-server:8080
vault:
enabled: true
authentication: APPROLE
app-role:
role-id: 12345
secret-id: 12345
role: pres-read
app-role-path: approle
connection-timeout: 5000
read-timeout: 15000
kv:
enabled: true
backend: secrets
application-name: client-app
uri: https://vault/
application.yml in config server
spring:
cloud:
config:
server:
git :
uri: https://github/repo.git
username: abc
password: pass
refreshRate: 300
Based on https://docs.spring.io/spring-cloud-vault/docs/current/reference/html/config-data.html#vault.configdata , it should be possible to load the vault config from properties yml in github. But if i move the above vault config to my client-app.yml in github, the properties are not read from the vault. How do I achieve this?
I am integrating the spring-cloud-aws-secrets-manager-config module with my SpringBoot application to fetch secrets from AWS Secrets Manager.
I have following two secrets in AWS Secrets Manager.
/myapp/dbcredentials
/myapp/apikey
Now, with bootstrap.yml, I am able to fetch either of these two secrets. Not both.
bootstrap.yml
aws:
secretsmanager:
prefix: /myapp
defaultContext: application
profileSeparator: _
failFast: false
name: dbcredentials
enabled: true
What will be the configuration in bootstrap.yml to fetch both the secrets?
Starting from Spring cloud AWS 2.3, spring.config.import could be used to load more than one secrets
spring.config.import=aws-secretsmanager:secret-key;other-secret-key
https://docs.awspring.io/spring-cloud-aws/docs/2.3.0/reference/html/index.html#integrating-your-spring-cloud-application-with-the-aws-secrets-manager
Hope this helps !
I'm working with microservice architecture and have spring cloud config service and another microservice.
profiles:
active: vault
cloud:
# Configuration for a vault server running in dev mode
vault:
scheme: http
host: 127.0.0.1
port: 8200
connection-timeout: 5000
read-timeout: 15000
authentication: TOKEN
token: s.E4gdoIYAKxMvCE56MP5Etmvy
kv:
enabled: true
backend: secret
backend-version: 2
profile-separator: /
generic:
enabled: false
application-name: myapp
Config server dependency
<dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-starter-vault-config</artifactId>
<version>2.1.5.RELEASE</version>
</dependency>
this is into .yml into the config service. Then into the .yml for my microservice i have db.username property which I want to resolve from Vault but I can't. Do you have any ideas?
username: db.username
password: secret/apm-transaction-service/dev/db.user
#Value("${db.username}")
this value is resolved into the java code but not into the .yml
Now for each microservice which I have I want to resolve the secrets from the configuration service without making any changes into the microservices. Currently reading native .ymls from the config service and want to add one more source :)
ApplicationStartupRunner run method Started !!root
if you are using spring-boot, for the value in .yml file to be resolved it has to be a variable. you must use ${db.username} in the yaml file
I'm able to set up a git repository a config backend:
spring:
cloud:
config:
server:
git:
# username: user
# password: '{cipher}passwd'
I think it's not a good practive to provide user and password straightforwardly herewith on bootstrap.yml file.
I'd like they are picked up from Vault.
Is it possible?
You can use spring cloud vault to do so, Spring offers a start guide here
How can I config different username/password for spring cloud config for each application.
I need that one application can't read the configuration of other application.
I can set an user/password but is for all:
security:
user:
name: account
password: mypassword