Token authentication not working when Hashicorp vault is sealed

Question

I'm working on a sample application where I want to connect to the Hashicorp vault to get the DB credentials. Below is the bootstrap.yml of my application.

spring:
  application:
    name: phonebook

  cloud:
    config:
      uri: http://localhost:8888/
    vault:
      uri: http://localhost:8200
      authentication: token
      token: s.5bXvCP90f4GlQMKrupuQwH7C

  profiles:
    active:
    - local,test

The application builds properly when the vault server is unsealed. Maven fetches the database username from the vault properly. When I run the build after sealing the vault, the build is failing due to the below error.

org.springframework.vault.VaultException: Status 503 Service Unavailable [secret/application]: error performing token check: Vault is sealed; nested exception is org.springframework.web.client.HttpServerErrorException$ServiceUnavailable: 503 Service Unavailable: [{"errors":["error performing token check: Vault is sealed"]}

How can I resolve this? I want maven to get the DB username and password during the build without any issues from the vault even when though it is sealed.

Answer 1

It's a profit of Vault that it's not simple static storage, and on any change in the environment, you need to perform some actions to have a stable workable system.

Advice: create a script(s) for automation the process.

Example. I have a multi-services system and some of my services use Vault to get the configuration.

init.sh:

#!/bin/bash

export VAULT_ADDR="http://localhost:8200"

vault operator unseal <token1>
vault operator unseal <token2>
vault operator unseal <token3>
vault login <main token>

vault secrets enable -path=<path>/ -description="secrets for My projects" kv
vault auth enable approle

vault policy write application-policy-dev ./application-policy-DEV.hcl

application.sh:

#!/bin/bash

export VAULT_ADDR="http://localhost:8200"
vault login <main token>

vault delete <secret>/<app_path>
vault delete sys/policy/<app>-policy
vault delete auth/approle/role/<app>-role
vault kv put <secret>/<app_path> - < <(yq m ./application.yaml)
vault policy write <app>-policy ./<app>-policy.hcl

vault write auth/approle/role/<app>-role token_policies="application-policy"
role_id=$(vault read auth/approle/role/<app>-role/role-id -format="json" | jq -r '.data.role_id')
secret_id=$(vault write auth/approle/role/<app>-role/secret-id -format="json" | jq -r '.data.secret_id')
token=$(vault write auth/approle/login role_id="${role_id}" secret_id=${secret_id} -format="json" | jq -r '.auth.client_token')

echo 'Token:' ${token}

where <app> - the name of your application, application.yaml - file with configuration, <app>-policy.hcl - file with policy

Of course, all these files should not be public, only for Vault administration.

On any changes in the environment or Vault period termination just run init.sh. For getting a token for the application run application.sh. Also if you need to change a configuration parameter, change it in application.yaml, run application.sh and use result token.

Script result (for one of my services):

Key                  Value
---                  -----
token                *****
token_accessor       *****
token_duration       ∞
token_renewable      false
token_policies       ["root"]
identity_policies    []
policies             ["root"]
Success! Data deleted (if it existed) at: <secret>/<app>
Success! Data deleted (if it existed) at: sys/policy/<app>-policy
Success! Data deleted (if it existed) at: auth/approle/role/<app>-role
Success! Data written to: <secret>/<app>
Success! Uploaded policy: <app>-policy
Success! Data written to: auth/approle/role/<app>-role
Token: s.dn2o5b7tvxHLMWint1DvxPRJ

Process finished with exit code 0