I'm using Spring Cloud Vault to communicate with HCP Vault. Part of the process, Vault asks from MongoDB to generate dynamic credentials for my service. The application starts successfully, but when I send request to the backend, it fails to authenticate with MongoDB due to credentials issue. However, the issue is resolved after ~30s. My major concern is this exception is raised from the filters layer and doesn't reach the Controller layer. Meaning an ugly and very detailed exception is returned to the user. For your ease please see the depiction below.
We tried to generate credentials directly with Vault API and to use those with mongosh. The credentials were valid after 1s.
2022-10-25 19:35:36,882 ERROR org.springframework.core.log.CompositeLog [boundedElastic-1] [8f31d431-2] 500 Server Error for HTTP PUT "/v1/demo/123"
org.springframework.data.mongodb.UncategorizedMongoDbException: Exception authenticating MongoCredential{mechanism=SCRAM-SHA-1, userName='user', source='source', password=<hidden>, mechanismProperties=<hidden>}; nested exception is com.mongodb.MongoSecurityException: Exception authenticating MongoCredential{mechanism=SCRAM-SHA-1, userName='user', source='admin', password=<hidden>, mechanismProperties=<hidden>}
at org.springframework.data.mongodb.core.MongoExceptionTranslator.translateExceptionIfPossible(MongoExceptionTranslator.java:140)
The filter is being invoked and returns an exception, with out letting the request getting to the applications' Controller's endpoint.
This is the configuration we use in our YAML file:
spring.cloud.vault:
enabled: true
application-name: APPLICATION_NAME
host: ${VAULT_HOST}
port: 8200
scheme: https
namespace: admin
fail-fast: true
config:
lifecycle:
enabled: true
min-renewal: 10s
expiry-threshold: 1m
authentication: APPROLE
app-role:
role-id: ${VAULT_ROLE_ID}
secret-id: ${VAULT_SECRET_ID}
role: ${VAULT_ROLE}
app-role-path: approle
kv:
enabled: true
default-context:
database:
enabled: true
role: ${VAULT_DB_ROLE}
backend: database
spring.config.import: vault://
After about 30 seconds from the moment the the application is up, requests can be sent successfully and this problem does not appear anymore.
