I have a Spring Boot app that is using Spring Cloud Config but I would like to encrypt the Spring Cloud Config password in the Spring Boot apps bootstrap.yml file. Is there a way to do this? Below is an example.
Spring Boot app bootstrap.yml
spring:
cloud:
config:
uri: http://locahost:8888
username: user
password: '{cipher}encryptedpassword'
A couple things I've discovered related to this.
If you use bootstrap.yml (or application.yml), the format for the cipher text must enclosed within single quotes:
security.user.password: '{cipher}56e611ce4a99ffd99908d2c9aa1461d831722812e4370a5b6900b7ea680ae914'
If you use bootstrap.properties (or application.properties), the format for the cipher text must NOT be enclosed:
security.user.password= {cipher}56e611ce4a99ffd99908d2c9aa1461d831722812e4370a5b6900b7ea680ae914
The [reference docs][1] show the yml without the quotes, which I never got to work. SnakeYaml always reported an error:
"expected <block end>, but found Scalar"
There is support for encrypted properties in the config client (as described in the user guide). Obviously if you do it that way you have to provide a key to decrypt the properties at runtime, so actually I don't always see the benefit (I suppose the config file is a bit like a keystore with a special format, so you only have one secret to protect instead of many). Example (application.yml):
integration:
stores:
test: '{cipher}316f8cdbb776c23e679bf209014788a6eab7522f48f97114328c2c9388e6b3c1'
and the key (in bootstrap.yml):
encrypt:
key: ${ENCRYPT_KEY:} # deadbeef
You can use Spring CLI to encrypt the secrets spring encrypt password --key 'SECRET_KEY'
https://cloud.spring.io/spring-cloud-cli/
Related
I have a vault server hosted in Openshift and I have to access secrets from the Vault into my spring application.
My bootstrap.yml looks like this :
spring:
application:
name: application-name
profiles: dev
cloud:
vault:
fail-fast: true
host: HOST
port: 443
scheme: https
token: MY_TOKEN
authentication: TOKEN
kv:
enabled: true
backend: secret
profile-separator: '/'
application-name: application-name
I checked vault logs and able to make connection from spring application to vault.
I can access the secret using Value Property Source.
However, I want to populate the secret's value into application.properties to update properties like spring.datasource.username and spring.datasource.password.
Is there any way to access the secret directly from application.properties?
TL; DR: Yes, you can use Vault properties in application.(properties|yml). It's not recommended to use these in bootstrap.(properties.yml).
Spring Cloud comes with a Bootstrap context where configuration libraries (such as Spring Cloud Consul, Spring Cloud Config and Spring Cloud Vault) are initialized. These integrations fetch configuration and provide these as a parent PropertySources to your application. Spring Boot considers these (you have options to use these PropertySources with the highest/lowest priority) during property binding and when you resolve a property value using Environment.
When bootstrapping an application, then typically one of the first things that happen is property binding in #ConfigurationProperties objects. At the time when bootstrap.(properties|yml) is loaded, typically Spring Cloud Config integrations didn't run yet so at that time you don't see properties contributed by these libraries. Therefore, there's the split between bootstrap context and the actual application context.
For example, I have settings like code below which Spring Boot Actuator uses.
management:
server:
port: 60001
security:
enabled: false
And I found out that if I will write this setting with mistakes. For example (code below):
management:
server:
port: 60001
security:
enabled: fase # wrong typed a `false` word
Spring Boot will not do anything, and the application will have build successfully.
Spring boot will validate the data as long as #ConfigurationProperties exist in core. The problem is that your #ConfigurationProperties may not exist before or already deprecated in your spring boot version.
Below is the comparison of management.server class with #ConfigurationProperties.
Try to change the port with string and spring boot with validate the data.
Look also at ManagementContextAutoConfiguration.class if your using spring boot 2 you will see that it loads the class ManagementServerProperties and WebEndpointProperties
If you still needed to validate your yaml you can refer to SnakeYAML.
I create a Spring Cloud Config server. I put security in my application.properties file
security.basic.enabled=false
security.user.name=1user
security.user.password=123
When I try to log to the application with the name and password, I always get
Bad credentials
I tried to put enabled to true but get same result. I saw in the command line then spring generate random password like
69dfeb52-6320-4085-bcd1-22ee7a3676a2
if I use with with username user, I can connect.
>
Hi Robert Trudel
If you are using Spring Boot 2.x, then you need to prefix these properties with spring
as shown below:
spring.security.user.name=1user
spring.security.user.password=123
Also, you do not need this security.basic.enabled=false.
Hope this helps!
I have a spring boot api secured with spring basic security. I call the api from another application. So I currently have the password in plain text in the application.yml files of my api and also the application.yml file from which I am calling the service.
How can I avoid having it in plain text in the yml? is there a way to have an encrypted password in both yml files?
I ended up using Jasypt (Java Simplified Encryption). This was very helpful
We use spring cloud config as configuration tool. We store passwords and other sensitive things in the config git repository. We encrypt the config using Spring /encrypt endpoint and put the values in config.
There is an endpoint /env which returns all the properties. The problem here is, the values which are encrypted returned as plain text. Is there way, we make the endpoint to return encrypted value instead of plain text.
Disable server-side decryption by setting the following property:
spring.cloud.config.server.encrypt.enabled: false
The /env endpoint is an actuator endpoint added by Spring Cloud Config. You should take the usual steps to secure the actuator endpoints so as not to allow unwanted access.
You can set endpoints.configprops.keys-to-sanitize to whatever pattern you need. The default is password,secret,key,token,.*credentials.*,vcap_services Keys can be simple strings that the property ends with or regex expressions.
Refer: this