4

I'm trying to get my KMS library, found here, to decrypt items from my application.yml that come from either the google cloud config server or an environment variable.

In playing around I've tried a number of scenarios to get this to work. Ideally I'd like to be able to do something like:

username: '{cipher}${db_username} where ${db_username} is either a property I read in from google cloud config or an environment variable.

So far what I've tried:

username: ${username} -> Successfully reads the plain text property from either the cloud config or environment variable successfully. (no encryption)

username: '{cipher}MyEncodedString' -> Success - decodes the provided inline string

❗️username: '{cipher}${username}' -> I believe this is trying to use the literal string ${username}

❗️username: '{cipher}'${username} -> invalid format / can't read

Since I can see that my decode is working when I put the string inline I don't believe this to be an issue with the decoder.

I may also be dumb and this is not a scenario I'd ever want to do, but it seems logical to me that I'd store these in a config area and let the application / profile pull in and decrypt what it needs.

If it makes a difference, and at this point I don't feel it does, I'm attempting to do all of this on Google Cloud Run + Java + Jib

Puttzy
  • 156
  • 1
  • 3
  • 13
  • Can you use the KMS client libraries directly instead of this plugin? – sethvargo Sep 18 '19 at 04:31
  • I don't believe the problem to be the library, just the order in which things are happening in the magical spring boot world. I need my property to be intjected prior to decryption. I could look at tooling my own and having it do everything on startup though – Puttzy Sep 18 '19 at 11:42
  • I think the easiest thing to do would be to encrypt the secrets using KMS out of band (do it locally from your laptop) and then store the encrypted values in a properties file. Then, at boot, your application decrypts those values and stores them in-memory. – sethvargo Sep 18 '19 at 15:47
  • doesn't really lead itself to "12-factor" that was as I have to embed a different encrypted file per environment. It certainly works though – Puttzy Sep 19 '19 at 12:36
  • Aren't you doing that already though with this approach? – sethvargo Sep 19 '19 at 13:51
  • no?...Because I would be deploying the same artifact to each environment but reading the environment / spring cloud config per per environment. The artifact would stay the same, the variable names it reads would stay the same but the properties would change – Puttzy Sep 20 '19 at 12:35
  • Can you try pre-pending text {cipher} to your encrypted username that you store at google cloud config server or an environment variable and refer it as username: ${username} – so-random-dude Sep 25 '19 at 16:52
  • 1
    @so-random-dude - that was a great idea and gave me hope - but alas still no luck. It tried to use the literal string {cipher}abcXYZ as my username/password – Puttzy Sep 27 '19 at 19:28

1 Answers1

0

can you try to use properties file. properties file doesn't require single quotes for {cipher}. less chances but can work.

Sumit Bhawsar
  • 21
  • 1