spring-cloud-vault icon indicating copy to clipboard operation
spring-cloud-vault copied to clipboard

Published 20 hours ago verified publisher icon spring-cloud

Unable to override Vault configuration in profile specific file

Open michalkrajcovic opened this issue 3 years ago • 3 comments

I’m unable to override Vault configuration in profile specific file in spring-cloud-starter-vault-config 3+ and spring-boot 2.4+

In spring-cloud-starter-vault-config 2+ and spring-boot 2.3.x it was possible to override configuration in profile specific file.

bootstrap.yml

spring:
 cloud:
   vault:
     uri: ${VAULT_URI}
     authentication: AWS_IAM

bootstrap-dev.yaml

spring:
 cloud:
   vault:
     authentication: TOKEN
     token: ${VAULT_TOKEN}

When application is run with this ^^ configuration and with spring.profiles.active=dev, then the authentication method is TOKEN instead of AWS_IAM. This is no longer possible in spring-boot 2.4+ and spring-cloud 2020.0.+

application.yaml

spring:
  config:
    import: "vault:"
  cloud:
    vault:
      uri: ${VAULT_URI}
      authentication: AWS_IAM

application-dev.yaml

spring:
  cloud:
    vault:
      authentication: TOKEN
      token: ${VAULT_TOKEN}

When application is run with this ^^ configuration and with spring.profiles.active=dev, then the expectation is thrown org.springframework.vault.authentication.VaultLoginException: Cannot login using AWS-IAM: missing client token;

However the profile is taken into account when application.yaml is created as multi-document yaml file, such as

application.yaml

spring:
  config:
    import: "vault:"
  cloud:
    vault:
      uri: ${VAULT_URI}
      authentication: AWS_IAM
---
spring:
 config:
   activate:
     on-profile: "dev"
   import: "vault:"
 cloud:
   vault:
     authentication: TOKEN
     token: ${VAULT_TOKEN}

When application is run with this ^^ configuration and with spring.profiles.active=dev, then the authentication method is TOKEN instead of AWS_IAM.

Another issue is that I’m not able to disable Vault neither in profile specific file nor in multi-document yaml.

application-dev.yaml

spring:
 application:
   name: demo
 config:
   import: "optional:vault:"
 cloud:
   vault:
     enabled: false

When application is run with this ^^ configuration and with spring.profiles.active=dev, then the expectation is thrown org.springframework.vault.authentication.VaultLoginException: Cannot login using AWS-IAM: missing client token;

application.yaml

spring:
  config:
    import: "vault:"
  cloud:
    vault:
      uri: ${VAULT_URI}
      authentication: AWS_IAM
---
spring:
 config:
   activate:
     on-profile: "dev"
   import: "optional:vault:"
 cloud:
   vault:
     enabled: false

When application is run with this ^^ configuration and with spring.profiles.active=dev, then the app fails with error Config data location 'vault:' does not exist

Sample This https://github.com/michalkrajcovic/spring-cloud-vault-demo is a simple app to demonstrate the functionality. More info can be found in the README.md

michalkrajcovic avatar Nov 24 '21 13:11 michalkrajcovic

Still waiting for a fix for this: https://github.com/spring-cloud/spring-cloud-vault/issues/571

nkvaratskhelia avatar Nov 26 '21 05:11 nkvaratskhelia

This issue still persists with spring-cloud-starter-vault-config 3.1+ and springboot 2.7+.

rohithkk avatar Aug 08 '23 00:08 rohithkk

i still get this issue in spring-cloud-starter-vault-config at spring-cloud-dependencies 2022.0.5

androschen avatar Feb 20 '24 08:02 androschen