quarkus-vault
quarkus-vault copied to clipboard
quarkiverse
credentials-provider is not loading username
When using credentials-provider which is default hashicorp vault, if I define get password from Vault it is working weel, but when I try to get datasource.username from Vault I am getting error
%prod.quarkus.vault.url=http://localhost:8200
%prod.quarkus.vault.authentication.userpass.username=<vault-username>
%prod.quarkus.vault.authentication.userpass.password=<vault-password>
%prod.quarkus.vault.credentials-provider.quarkus_banking.kv-path=myapps/quarkus/db-credentials
%prod.quarkus.vault.secret-config-kv-path=myapps/quarkus/db-credentials
%prod.quarkus.datasource.db-kind=postgresql
%prod.quarkus.datasource.credentials-provider=quarkus_banking
this one is not working, and if I add
%prod.quarkus.datasource.username=<username>
It is working well. This is my vault configurations:
Key Value
--- -----
created_time 2023-01-03T18:42:13.992602027Z
custom_metadata <nil>
deletion_time n/a
destroyed false
version 8
====== Data ======
Key Value
--- -----
password <password>
user <username>
I tried username keyword too.But the same result. Error decription:
[io.qua.run.Application] (main) Failed to start application (with profile prod): org.postgresql.util.PSQLException: FATAL: password authentication failed for user "mysystemuser"
After digging into io.quarkus.vault.runtime.VaultCredentialsProvider from quarkus-vault:2.1.0 lib I found this code
if (config.kvPath.isPresent()) {
String password = vaultKVSecretEngine.readSecret(config.kvPath.get()).get(config.kvKey);
Map<String, String> result = new HashMap<>();
result.put(PASSWORD_PROPERTY_NAME, password);
return result;
}
I think this is the route of the issue: value for USER_PROPERTY_NAME key will not be added to the final result when kvPath is present. But according to the official guide datasource username should be read from Vault if it is not exist in application.properties file, as guide says:
Note that quarkus.datasource.username is the original agroal property, whereas the password property is not included because the value will come from the mydatabase credentials provider we just defined. An alternative is to define both username and password in Vault and drop the quarkus.datasource.username property from configuration. All consuming extensions do support the ability to fetch both the username and password from the provider, or just the password.
My quarkus version: 2.15.1
Java : amazon-corretto-17
Maven: 3.8.6
@Sharofiddin Sorry for the late reply!
The Vault extension is working properly with this support; it's just that requesting the username from a key-value secret store is not supported.
Currently only quarkus.vault.credentials-provider.kv-key is declared as a configuration point. This configuration is used to lookup the password from the secret store. There is no configuration for the username's store key.
What we need to do to support this is rename kv-key to kv-password-key and then add a kv-username-key configuration.
Adding defaults of username for kv-username-key and password for kv-password-key is probably a good idea too.
This will require changing the type of the kvKey config property to an Optional (to allow for deprecation). This means this will have to go into the 3.0 release.