I am using hashicorp vault with springboot maven to store my databse credentials. Getting 403 Permission denied while trying to access the vault

Question

Note : Vault is managed by different team in my project. Below is my boorstrap.yml config

spring:
    application:
       name: MongoSecrets

profiles:
   active: dev
cloud:
   vault:
      enabled: true
      uri: https://vaulturl:443
      scheme: https
       token: "LDAP token"
       kv:
          enaled: true
           backend: MySecrets
       ssl:
           trust-store: cacerts

Dependencies used - spring-cloud-starter-vault-config, spring-cloud-dependencies

Received access to MySecrets folder from Vault team. Below is the policies set for the folder

path "MySecrets/*" {capabilities= ["create","read","update","delete","list"]}

Below is the exception i am getting:

org.springframework.vault.authentication.LifecycleAwareSessionManager : Scheduling Token renewal
  org.springframework.vault.core.lease.SecretLeaseEventPublisher$LoggingErrorListener : [RequestedSecret [path='secret/MySecrets/dev', mode=ROTATE]] Lease [leaseId='null', leaseDuration=PT0S, renewable=false] Status 403 FORBIDDEN secrets/MySecrets/dev: 1 error occurred:
  | * permission denied
  |  
  |  
  | org.springframework.vault.VaultException: Status 403 FORBIDDEN secret/MySecrets/dev: 1 error occurred:
  | * permission denied

I am able to successfully connect if i use spring.cloud.vault.generic props instead of spring.cloud.vault.kv. But spring.cloud.vault.generic - This depricated in favour of kv — giridhar gpr, Oct 15 '20 at 07:44
Here's a link that - I hope - can help : https://stackoverflow.com/a/72553127/16803868 — Stephen Mafole, Jun 08 '22 at 23:16

jokarls · Answer 1 · 2020-10-26T16:36:52.770

0

Your bootstrap.yml is wrong, there is an indentation problem and you misspelled one property.

   kv:
      enaled: true
       backend: MySecrets

Should be:

   kv:
      enabled: true
      backend: MySecrets

But spring will still log some errors, as it tries different combinations of profile, app, and backend during startup.

edited Oct 26 '20 at 16:36

answered Oct 19 '20 at 10:45

jokarls

330
2
11

i modified the path as well but still i was getting the same error. I was able to resolve when i changed spring:cloud:vault:kv --to-- spring:cloud:vault:generic. – giridhar gpr Oct 26 '20 at 15:16
But "generic" seems to be depricated in favour of "kv". No idea why its failing with "kv" i am still researching. For time being i am using this "generic" – giridhar gpr Oct 26 '20 at 15:21

score 0 · Accepted Answer · answered Jan 29 '21 at 18:21

0

generic:  
  enabled: false    
kv:  
 enabled: true

Changing bootstrap to above worked for me. Seems there was some issue in the way my Client has set up Vault policies. By Default Generic backends are enabled.

answered Jan 29 '21 at 18:21

giridhar gpr

5
2

I am using hashicorp vault with springboot maven to store my databse credentials. Getting 403 Permission denied while trying to access the vault

2 Answers2