Instead of giving an AppRole or Static Token for Spring Cloud Config Server to access ALL secrets across ALL applications, is it possible to configure Spring Cloud Vault Config to utilize a given token on the request for the configuration?
This communication would be over 2-way SSL with the token in the headers. Not ideal to send such a token outward but seems the proper solution in this scenario.
Keep in mind this is a Spring Cloud Config Server using Git + Vault as backends in order to resolve secrets, variables, etc, into the desired configurations. This would not only be used for Spring Configurations but other files delivered to an ephemeral environment, such as an httpd.conf for Apache (bad example to shove secrets into)
Goal here is to limit access where possible and keeping it limited to the end-application requesting the configuration. Also nice to not duplicate RBAC efforts with AuthZ on Spring Config AND Vault policies.
You can configure each Spring Boot application that talks to Config Server to send its' own unique token to Config Server which is then passed through to Vault.
Vault will allow access to the requested resource based on the policies that define access to that resource and the permissions granted to the token.
Step 1: Define a policy.
cat ./rules/application-a.hcl <<EOF
path "secret/application" {
capabilities = ["read", "list"]
}
path "secret/application-a" {
capabilities = ["read", "list"]
}
EOF
Step 2: Write the policy to Vault.
vault write sys/policy/policy-application-a rules=#./rules/application-a.hcl
Step 3: Create a token using the defined policy.
vault token-create -display-name="My Application A" -policy="policy-application-a"
Step 4: Write some data to Vault
vault write secret/application-a #application-a-config.json
Step 5: Configure the Spring Boot application to use its' token.
Use the token created in Step 3 above. Set the following up in the application's bootstrap.yml file. You could also pass this through at run-time if you're running in a containerized environment.
spring:
cloud:
config:
uri: https://configserver:8888/
token: <secret token>
Spring handles the transfer of token from the client application to Config Server and then onto Vault.
For any other application, you can set the token in the header of a HTTP request.
From the Vault documentation:
https://www.vaultproject.io/intro/getting-started/apis.html
curl -X GET -H "X-Vault-Token:$VAULT_TOKEN" http://127.0.0.1:8200/v1/secret/application-a
I hope this helps you.
Related
I want to add the ability to microservices to allow configuring endpoints and permissions for RBAC via Cloud Config Server. So if there is a service called mordor, then if I add following properties in its application.yml at Cloud Config Server's repo
rbac:
- endpoint: /v1/test1
method: GET
scopes: ["rest-write:all", "read-write:product"]
- endpoint: /v1/test2
method: POST
scopes: ["read-write:product"]
the endpoints mentioned above should be configured for RBAC. As of now, I am passing the scopes and permissions via Auth0 JWT and using it for authentication. But with this, I will be able to add RBAC also based on the permissions I configure in Auth0's dashboard.
What is the best way to proceed with this?
I am able to get the rbac endpoints from Cloud Config Server but the problem is how to add them to Spring Security. I already have a class OAuth2SecurityConfiguerer where httpSecurity is configured but I haven't been able to add endpoints to Spring Security because it might require iterating over the endpoints obtained from Cloud Config Server
I need to secure a web-app, the backend will be Java Rest API, meanwhile I'll use Angular for my front.
I am using Keycloak to authenticate into my webapp, but I need to follow the standard flow of OAuth, that means I need to get first the auth code and then the access&refresh tokens.
I saw some configuration, but they're all related to Spring, like putting this code in application.properties
# keycloak properties
keycloak.realm = services
keycloak.auth-server-url = http://127.0.0.1:8080/auth
keycloak.ssl-required = external
keycloak.resource = todo-api
keycloak.use-resource-role-mappings = true
keycloak.security-constraints[0].authRoles[0]=users
keycloak.security-constraints[0].securityCollections[0].patterns[0]=/api/todo/*
The thing is in my project I don't have an application.properties file.
I've created a client in Keycloak, how do I have to configurate my JEE project to get the auth code?
Thanks a lot
You will need to log into Keycloak and select your realm and client "todo-api". Select the Installation tab and usually the Keycloak OIDC JSON format. This will create a configuration file that your frontend application will use for managing keycloak. To enforce the Auth code flow, disable the "Implicit Flow Enabled" and "Direct Access Grants Enabled" setting on the "todo-api" client.
We are right now storing passwords and other configuration related data in git and filesystem(local) based on profile. This is working fine based on profiles local/dev etc. using SPring cloud config approach.
But to enhance security we have been suggested to use sensitive data in Vault
So i am not clear on how can this be achieved. Whether we will have a single Cloud Config server hosting some properties from Vault and some from Git.
A Config Client will locate the config server based on CONFIGSERVER_URI so we can not have separate instances running
How to achieve this requirement.
Thanks.
It is possible to access Git for some properties and Vault for others using the same config server. Access to Vault locations is granted to individual client through the use of a Vault token. The Vault token is passed automatically to the config server as a header at runtime. You would need to configure your config server with the Vault dependencies and add properties to access both Git and Vault something like this (not the 'vault' profile):-
server:
port: 8888
spring:
profiles:
active: git, vault
application:
name: my-domain-configuration-server
cloud:
config:
server:
git:
uri: https://mygit/my-domain-configuration
order: 1
vault:
order: 2
host: vault.mydomain.com
port: 8200
scheme: https
On your client you need to configure the authorization token supplied by Vault. Note the example below illustrates the property. You can put it into your application yaml files, because it is a per application/per environment token. However I prefer to inject it into the environment during deployment.
spring:
cloud:
config:
uri: https://configserver:8888/
token: <secret token>
You should consult the Vault documentation to understand how to authorize your token to access specific locations but the rules may look something like this:-
{
path "secret/myapp-app" {
policy = "read"
}
path "secret/myapp-app/*" {
policy = "read"
}
path "secret/application" {
policy = "read"
}
path "secret/application/*" {
policy = "read"
}"
}
Finally, it is also possible to access your Git through config server and access Vault directly from your client instead of configuring config server to access both. In this case you need to add the Vault dependencies to the client and configure the client properties to access Vault. You still need the authorization token in the client.
I'm trying to implement a Zuul reverse proxy with #EnableOAuth2Sso so I can relay the access tokens obtained from the authentication server to my resource server.
The question is how do I configure the Zuul proxy to forward the username and password to the authentication server, since I am using the password grant flow to obtain the tokens.
If the question is still relevant...
I had a task to configure Authorization and Resource servers behind Zuul using password grant type.
This article and example on github helped me a lot, but mostly I've used debug to configure the environment.
Please check my example of configuration OAuth2 Password Grant Type behind Zuul.
To run the example, inside every service folder run mnv spring-boot:run
In browser go to http://localhost:8765, credentials user/user, admin/admin
http://localhost:8761/ - eureka
I have not used #EnableOAuth2Sso, but instead #EnableOAuth2Client and configure only ResourceOwnerPasswordAccessTokenProvider (more details here).
#EnableOAuth2Sso is configured all token providers, but I need only password provider.
Example uses JwtTokens.
Question on JWT token and the JHipster Spring Cloud Config Service
The documentation (http://jhipster.github.io/microservices-architecture/) is little vague on how / what to copy for JWT tokens.
It says:
the JHipster Spring Config server makes sure that the config/JWT tokens are available and services authenticated. I have deployed the JHipster Config Server, Gaeway and one Microservice with an Entity.
When I try to call through the Gateway a backend microservice/with Entity (to create Author/Book) it tells me Access denied.
I believe once you register your microservice and gateway with the Config Server, the tokens are copied over to the Config Server and it should work without copying any tokens around.
Any idea how this is supposed to work?.
You should share the key by copying it into the registry's environment repository as jhipster.security.authentication.jwt.secret property in global application-dev.yml and application-prod.yml. Use different keys for prod and dev.
These shared yml files are the ones in your native environment repository (by default jhipster-registry/central-config) or git-based environment repository not in the src/main/resources/config folder of the registry itself.
jhipster:
security:
authentication:
jwt:
secret: "***********************"