Spring config server with vault token doesnt respect the acl defined in vault

Question

I have spring config server and vault as backend. i created a token in vault with an acl policy . when i use the token in spring.cloud.config.token it doesnt respect the acl

My sping config client has this boot strap properties

spring:
  application:
    name: app1
  cloud:
    config:
      uri: https://config-server-ur:port
      token: token-associated-to-acl-policy

i created an acl policy by name "app1" which allows only the "app1" to be read by the token in vault.

path "secret/app1" {
  capabilities = ["read", "list"]
}

./vault token create -display-name="app1" -policy="app1"

i used the token generated in my client and it doesnt work.

when i changed the acl policy to below, it works

path "secret/*" {
  capabilities = ["read", "list"]
}

However, when i access the vault directly with X-Vault-token it works perfectly as expected

I believe this should work -----path "secret/app1" {capabilities = ["read"]}-----. I remember a similar issue. by the way which version of Vault? — Here_2_learn, Jul 11 '19 at 10:11
I am using v 1.1.3, however this is not an issue with vault. it works the way it is expected when i read directly from vault. it does not work when i use it via config server — Parvatayya Malimath, Jul 11 '19 at 11:38
Instead of using it via config server, I would suggest fetching secrets directly from Vault, This avoids the mediator/config-server, no point in using vault if someone sitting in middle. — Here_2_learn, Jul 11 '19 at 13:07

score 0 · Accepted Answer · answered Jul 15 '19 at 15:03

I found the solution, Set spring.cloud.config.server.vault.defaultKey to empty, like this in config-server bootstrap.yml

spring.profiles.active=git, vault
spring.cloud.config.server.git.uri=properties-git-repo-url
spring.cloud.config.server.git.username=user
spring.cloud.config.server.git.password=password
spring.cloud.config.server.git.searchPaths=/{application}/xyz
spring.cloud.config.server.git.force-pull=true
spring.cloud.config.server.git.timeout=10
spring.cloud.config.server.git.order=2
spring.cloud.config.server.vault.host=vault-hostname
spring.cloud.config.server.vault.port=8200
spring.cloud.config.server.vault.scheme=https
spring.cloud.config.server.vault.backend=secret
spring.cloud.config.server.vault.defaultKey=
spring.cloud.config.server.vault.profileSeparator=/
spring.cloud.config.server.vault.skipSslValidation=true
spring.cloud.config.server.vault.order=1
spring.cloud.config.server.vault.kvVersion=1

by default spring.cloud.config.server.vault.defaultKey= is set to "application".

Spring config server with vault token doesnt respect the acl defined in vault

1 Answers1