Spring Cloud Config with Git/Vault backend - token passthrough

0
votes

Instead of giving an AppRole or Static Token for Spring Cloud Config Server to access ALL secrets across ALL applications, is it possible to configure Spring Cloud Vault Config to utilize a given token on the request for the configuration?

This communication would be over 2-way SSL with the token in the headers. Not ideal to send such a token outward but seems the proper solution in this scenario.

Keep in mind this is a Spring Cloud Config Server using Git + Vault as backends in order to resolve secrets, variables, etc, into the desired configurations. This would not only be used for Spring Configurations but other files delivered to an ephemeral environment, such as an httpd.conf for Apache (bad example to shove secrets into)

Goal here is to limit access where possible and keeping it limited to the end-application requesting the configuration. Also nice to not duplicate RBAC efforts with AuthZ on Spring Config AND Vault policies.

1
spring-bootspring-cloud-confighashicorp-vaultspring-vaultspring-cloud-vault-config

1 Answers

1
votes

You can configure each Spring Boot application that talks to Config Server to send its' own unique token to Config Server which is then passed through to Vault.

Vault will allow access to the requested resource based on the policies that define access to that resource and the permissions granted to the token.

Step 1: Define a policy.

cat ./rules/application-a.hcl <<EOF
path "secret/application" {
  capabilities = ["read", "list"]
}
path "secret/application-a" {
  capabilities = ["read", "list"]
}
EOF

Step 2: Write the policy to Vault.

vault write sys/policy/policy-application-a rules=@./rules/application-a.hcl

Step 3: Create a token using the defined policy.

vault token-create -display-name="My Application A" -policy="policy-application-a"

Step 4: Write some data to Vault

vault write secret/application-a @application-a-config.json

Step 5: Configure the Spring Boot application to use its' token.

Use the token created in Step 3 above. Set the following up in the application's bootstrap.yml file. You could also pass this through at run-time if you're running in a containerized environment.

spring:
  cloud:
    config:
      uri: https://configserver:8888/
      token: <secret token>

Spring handles the transfer of token from the client application to Config Server and then onto Vault.

For any other application, you can set the token in the header of a HTTP request.

From the Vault documentation: https://www.vaultproject.io/intro/getting-started/apis.html

curl -X GET -H "X-Vault-Token:$VAULT_TOKEN" http://127.0.0.1:8200/v1/secret/application-a

I hope this helps you.