I can't configure spring.cloud.vault to re-authenticate the application when the token expire. I use Kubernetes Authentication with service token, bun in the SessionManager class I find the batch token (it`s TTL ending and spring vault just throw errors) and it cant be re-new
What I have to check or search in first time? Or how I can fix the error?
I can`t use Vault Agent in my company
Stack trace:
Caused by: org.springframework.vault.VaultException: Status 403 Forbidden: permission denied; nested exception is org.springframework.web.client.HttpClientErrorException$Forbidden: 403 Forbidden: "{"errors":["permission denied"]}<EOL>"
at org.springframework.vault.client.VaultResponses.buildException(VaultResponses.java:85)
at org.springframework.vault.core.VaultKeyValueAccessor.lambda$doRead$2(VaultKeyValueAccessor.java:174)
at org.springframework.vault.core.VaultTemplate.doWithSession(VaultTemplate.java:448)
at org.springframework.vault.core.VaultKeyValueAccessor.doRead(VaultKeyValueAccessor.java:163)
at org.springframework.vault.core.VaultKeyValueAccessor.doRead(VaultKeyValueAccessor.java:132)
at org.springframework.vault.core.VaultKeyValueAccessor.doRead(VaultKeyValueAccessor.java:107)
at org.springframework.vault.core.VaultKeyValue1Template.get(VaultKeyValue1Template.java:69)
at sbp.bpm.designer.utils.credential.VaultAwareCredentialSetup.lambda$createSecretRetriever$2(VaultAwareCredentialSetup.java:127)
at com.google.common.cache.LocalCache$LocalManualCache$1.load(LocalCache.java:4868)
at com.google.common.cache.LocalCache$LoadingValueReference.loadFuture(LocalCache.java:3533)
at com.google.common.cache.LocalCache$Segment.loadSync(LocalCache.java:2282)
at com.google.common.cache.LocalCache$Segment.lockedGetOrLoad(LocalCache.java:2159)
at com.google.common.cache.LocalCache$Segment.get(LocalCache.java:2049)
... 16 common frames omitted
Here is the application.yaml config
spring:
servlet:
multipart:
enabled: true
max-file-size: 10MB
max-request-size: 10MB
cloud:
vault:
enabled: true
uri: http://vault.url:8080
authentication: KUBERNETES
kubernetes:
role: role
kubernetes-path: k8s/dap.url.com
service-account-token-file: /var/run/secrets/kubernetes.io/serviceaccount/token
Dependency version:
<spring-cloud-vault.version>3.1.3</spring-cloud-vault.version> <spring-cloud-starter-config.version>3.1.7</spring-cloud-starter-config.version>
Spring vault don`t use own revoke/renew logic if your token has type = renew false, this code helps me:
@Component
@ConditionalOnProperty(name = "spring.cloud.vault.enabled", havingValue = "true")
public class CustomVaultSessionManager implements SessionManager {
private final ClientAuthentication authentication;
private Optional<VaultToken> actualToken = Optional.empty();
private Optional<Long> expirationTime = Optional.empty();
public CustomVaultSessionManager(ClientAuthentication authentication) {
this.authentication = authentication;
}
@NotNull
@Synchronized
@Override
public VaultToken getSessionToken() {
if (isTokenExpired() || actualToken.isEmpty()) {
actualToken = Optional.of(generateNewToken());
log.info("Get session token : {}", actualToken.get());
}
return actualToken.get();
}
private boolean isTokenExpired() {
Boolean isTokenExpired = expirationTime
.map(expiration -> expiration < System.currentTimeMillis())
.orElse(false);
return isTokenExpired;
}
private VaultToken generateNewToken() {
VaultToken newToken = authentication.login();
if (newToken instanceof LoginToken) {
LoginToken loginToken = (LoginToken) newToken;
expirationTime = updateExpirationTime(loginToken);
} else {
expirationTime = Optional.empty();
}
return newToken;
}
private Optional<Long> updateExpirationTime(LoginToken loginToken) {
return Optional.of(System.currentTimeMillis() + loginToken.getLeaseDuration().toMillis() - 500);
} }