2

I run a local vault dev server (v0.10.1) and use Approle as auth method. I create a renewable MongoDB secret engine, and then assign a policy to created Approle which grants all capabilities to path secret/bootstrap, secret/application, database/creds/readwrite* and sys/leases/*.

Using spring-cloud-vault(v1.1.0), it could properly gets username/password of MongoDB after launched. But when the lease is reaching its ttl and spring-cloud-vault tries to renew it, I got the following exception:

2018-05-03 20:16:12.369  WARN 2921 --- [g-Cloud-Vault-1] LeaseEventPublisher$LoggingErrorListener : [RequestedSecret [path='database/creds/readwrite', mode=RENEW]] Lease [leaseId='database/creds/readwrite/200fad65-2165-9da4-206f-bb65c93cfdaa', leaseDuration=300, renewable=true] Status 403: permission denied
org.springframework.vault.VaultException: Status 403: permission denied
    at org.springframework.vault.client.VaultResponses.buildException(VaultResponses.java:62) ~[spring-vault-core-1.1.1.RELEASE.jar:1.1.1.RELEASE]
    at org.springframework.vault.core.VaultTemplate.doWithSession(VaultTemplate.java:321) ~[spring-vault-core-1.1.1.RELEASE.jar:1.1.1.RELEASE]
    at org.springframework.vault.core.lease.SecretLeaseContainer.renew(SecretLeaseContainer.java:519) ~[spring-vault-core-1.1.1.RELEASE.jar:1.1.1.RELEASE]
    at org.springframework.vault.core.lease.SecretLeaseContainer.doRenewLease(SecretLeaseContainer.java:487) ~[spring-vault-core-1.1.1.RELEASE.jar:1.1.1.RELEASE]
    at org.springframework.vault.core.lease.SecretLeaseContainer$1.renewLease(SecretLeaseContainer.java:437) [spring-vault-core-1.1.1.RELEASE.jar:1.1.1.RELEASE]
    at org.springframework.vault.core.lease.SecretLeaseContainer$LeaseRenewalScheduler$1.run(SecretLeaseContainer.java:678) [spring-vault-core-1.1.1.RELEASE.jar:1.1.1.RELEASE]
    at org.springframework.scheduling.support.DelegatingErrorHandlingRunnable.run(DelegatingErrorHandlingRunnable.java:54) [spring-context-4.3.14.RELEASE.jar:4.3.14.RELEASE]
    at org.springframework.scheduling.concurrent.ReschedulingRunnable.run(ReschedulingRunnable.java:81) [spring-context-4.3.14.RELEASE.jar:4.3.14.RELEASE]
    at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) [na:1.8.0_152]
    at java.util.concurrent.FutureTask.run(FutureTask.java:266) [na:1.8.0_152]
    at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:180) [na:1.8.0_152]
    at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293) [na:1.8.0_152]
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) [na:1.8.0_152]
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) [na:1.8.0_152]
    at java.lang.Thread.run(Thread.java:748) [na:1.8.0_152]

May I know what I missed for the case please?

UPDATE: I changed the path from sys/leases/* to sys/* and then seems everything works fine. So I still want to know what paths in sys besides sys/leases/* are necessary for the case.

Daniel Mann
  • 57,011
  • 13
  • 100
  • 120
Tonny Tc
  • 852
  • 1
  • 12
  • 37
  • HI, I have this exact problem, the difference being even changing my path to sys/* doesn't allow for non-root renewal. I have vault version 0.10.4 on the server and spring-cloud-vault-config-databases v 2.0.1.RELEASE. I can renew via the client with a non-root token though. – slowko Oct 16 '18 at 09:45
  • Thanks a lot for your update. Seems we'd better create an issue in git repo of these projects. I'm waiting for really a long time, but got no answers yet... – Tonny Tc Oct 21 '18 at 08:38
  • I created an issue with Vault and Spring, the later ongoing. – slowko Oct 21 '18 at 08:52
  • Could you share the link of the issue please? – Tonny Tc Oct 21 '18 at 09:13
  • https://github.com/spring-cloud/spring-cloud-vault/issues/255 – slowko Oct 22 '18 at 09:55
  • Thanks a lot for your info. I can confirm that the error has gone with Spring vault ver.2.1.1.BUILD-SNAPSHOT (both with Spring boot ver.2.0.6.RELEASE and Spring cloud ver. Finchley.SR1), but it occurs some other errors that spring vault seems cannot renew secret_id and lease. I'll summarize these and create another issue then. – Tonny Tc Oct 24 '18 at 14:44

1 Answers1

1

As mentioned in comments, the problem itself seems be resolved in spring-vault-core 2.1.1.BUILD-SNAPSHOT, but there's still lease renewing problem seems not be resolved yetExpired leases do are not rotated on secret renewal.

Tonny Tc
  • 852
  • 1
  • 12
  • 37