I have a Spring Boot application with spring-cloud-starter-vault-config dependency, so all my secrets are externalized. My application uses AWS IAM authentication with preconfigured role:
cloud:
vault:
enabled: true
fail-fast: true
uri: http://vault.internal:8200
authentication: AWS_IAM
aws-iam:
role: vault_role_for_app
aws-path: aws
endpoint-uri: https://sts.amazonaws.com
This Vault AWS auth method is configured to drop the token in case of 2 hours from creation:
vault auth enable aws
vault write auth/aws/role/vault_role_for_app auth_type=iam \
bound_iam_principal_arn=arn:aws:iam::xxx:role/Launch-Role policies=vault_policy_for_app_to_read_secret max_ttl=2h
So, after 2 hours from start of the application I can see that the Vault token is dropped:
17:20:45.835 [main] INFO org.eclipse.jetty.server.Server - Started @87308ms
***
19:20:20.616 [Spring-Cloud-Vault-1] INFO o.s.v.a.LifecycleAwareSessionManager - Renewing token
19:20:20.675 [Spring-Cloud-Vault-1] INFO o.s.v.a.LifecycleAwareSessionManager - Token TTL exceeded validity TTL thre
shold. Dropping token.
Application still works after the token was dropped, but why? And why don't I see the new token creation in the application logs?
