I'm trying to user encrypt feature of spring cloud config server. I'v generated a keystore and set required config in application.properties
i'm able to user /encrypt and /decrypt endpoints to encrypt and decrypt value.
However encrypted values are not decrypted by config server before sending them to client!
encrypt.key-store.location=classpath:/config-server.jks
encrypt.key-store.alias=config-server-key
encrypt.key-store.password=changeit
encrypt.key-store.secret=changeit
In my .yml file i've
message: '{cipher}AgAAeBKZOOQ3aM...'
What i'm missing?
i was able to fix my issue: instead of putting confi properties in application.properties, i had to set them in bootstrap.properties.
encrypt.key-store.location=classpath:/config-server.jks
encrypt.key-store.alias=config-server-key
encrypt.key-store.password=changeit
encrypt.key-store.secret=changeit
Related
I am trying to encrypt the passwords in my application.yml file symmetrically or asymmetrically.
I added the following dependencies and made a request to the /encrypt endpoint. but I get 404 not found result. i couldn't understand why
I create a Spring Cloud Config server. I put security in my application.properties file
security.basic.enabled=false
security.user.name=1user
security.user.password=123
When I try to log to the application with the name and password, I always get
Bad credentials
I tried to put enabled to true but get same result. I saw in the command line then spring generate random password like
69dfeb52-6320-4085-bcd1-22ee7a3676a2
if I use with with username user, I can connect.
>
Hi Robert Trudel
If you are using Spring Boot 2.x, then you need to prefix these properties with spring
as shown below:
spring.security.user.name=1user
spring.security.user.password=123
Also, you do not need this security.basic.enabled=false.
Hope this helps!
Instead of giving an AppRole or Static Token for Spring Cloud Config Server to access ALL secrets across ALL applications, is it possible to configure Spring Cloud Vault Config to utilize a given token on the request for the configuration?
This communication would be over 2-way SSL with the token in the headers. Not ideal to send such a token outward but seems the proper solution in this scenario.
Keep in mind this is a Spring Cloud Config Server using Git + Vault as backends in order to resolve secrets, variables, etc, into the desired configurations. This would not only be used for Spring Configurations but other files delivered to an ephemeral environment, such as an httpd.conf for Apache (bad example to shove secrets into)
Goal here is to limit access where possible and keeping it limited to the end-application requesting the configuration. Also nice to not duplicate RBAC efforts with AuthZ on Spring Config AND Vault policies.
You can configure each Spring Boot application that talks to Config Server to send its' own unique token to Config Server which is then passed through to Vault.
Vault will allow access to the requested resource based on the policies that define access to that resource and the permissions granted to the token.
Step 1: Define a policy.
cat ./rules/application-a.hcl <<EOF
path "secret/application" {
capabilities = ["read", "list"]
}
path "secret/application-a" {
capabilities = ["read", "list"]
}
EOF
Step 2: Write the policy to Vault.
vault write sys/policy/policy-application-a rules=#./rules/application-a.hcl
Step 3: Create a token using the defined policy.
vault token-create -display-name="My Application A" -policy="policy-application-a"
Step 4: Write some data to Vault
vault write secret/application-a #application-a-config.json
Step 5: Configure the Spring Boot application to use its' token.
Use the token created in Step 3 above. Set the following up in the application's bootstrap.yml file. You could also pass this through at run-time if you're running in a containerized environment.
spring:
cloud:
config:
uri: https://configserver:8888/
token: <secret token>
Spring handles the transfer of token from the client application to Config Server and then onto Vault.
For any other application, you can set the token in the header of a HTTP request.
From the Vault documentation:
https://www.vaultproject.io/intro/getting-started/apis.html
curl -X GET -H "X-Vault-Token:$VAULT_TOKEN" http://127.0.0.1:8200/v1/secret/application-a
I hope this helps you.
We use spring cloud config as configuration tool. We store passwords and other sensitive things in the config git repository. We encrypt the config using Spring /encrypt endpoint and put the values in config.
There is an endpoint /env which returns all the properties. The problem here is, the values which are encrypted returned as plain text. Is there way, we make the endpoint to return encrypted value instead of plain text.
Disable server-side decryption by setting the following property:
spring.cloud.config.server.encrypt.enabled: false
The /env endpoint is an actuator endpoint added by Spring Cloud Config. You should take the usual steps to secure the actuator endpoints so as not to allow unwanted access.
You can set endpoints.configprops.keys-to-sanitize to whatever pattern you need. The default is password,secret,key,token,.*credentials.*,vcap_services Keys can be simple strings that the property ends with or regex expressions.
Refer: this
I have a Spring Boot app that is using Spring Cloud Config but I would like to encrypt the Spring Cloud Config password in the Spring Boot apps bootstrap.yml file. Is there a way to do this? Below is an example.
Spring Boot app bootstrap.yml
spring:
cloud:
config:
uri: http://locahost:8888
username: user
password: '{cipher}encryptedpassword'
A couple things I've discovered related to this.
If you use bootstrap.yml (or application.yml), the format for the cipher text must enclosed within single quotes:
security.user.password: '{cipher}56e611ce4a99ffd99908d2c9aa1461d831722812e4370a5b6900b7ea680ae914'
If you use bootstrap.properties (or application.properties), the format for the cipher text must NOT be enclosed:
security.user.password= {cipher}56e611ce4a99ffd99908d2c9aa1461d831722812e4370a5b6900b7ea680ae914
The [reference docs][1] show the yml without the quotes, which I never got to work. SnakeYaml always reported an error:
"expected <block end>, but found Scalar"
There is support for encrypted properties in the config client (as described in the user guide). Obviously if you do it that way you have to provide a key to decrypt the properties at runtime, so actually I don't always see the benefit (I suppose the config file is a bit like a keystore with a special format, so you only have one secret to protect instead of many). Example (application.yml):
integration:
stores:
test: '{cipher}316f8cdbb776c23e679bf209014788a6eab7522f48f97114328c2c9388e6b3c1'
and the key (in bootstrap.yml):
encrypt:
key: ${ENCRYPT_KEY:} # deadbeef
You can use Spring CLI to encrypt the secrets spring encrypt password --key 'SECRET_KEY'
https://cloud.spring.io/spring-cloud-cli/