"Secret id missing" error while connecting to Vault using Spring cloud vault

Question

I am trying to connect to spring vault using role based authentication (spring boot project).

As per documentation, I should be able to connect to spring vault only using approle (pull mode). However, I am getting secrect-id missing exception on application start up.

http://cloud.spring.io/spring-cloud-vault/single/spring-cloud-vault.html#_approle_authentication

When I pass, secret-id also, I am able to connect and properties/values are getting correctly autowired.

Is there any way I can connect with vault using "token + role/role-id" and spring generate secret-id for me automatically at run time using mentioned info.

spring.cloud.vault:
    scheme: http
    host: <host url>
    port: 80
    token : <token>
    generic.application-name: vault/abc/pqr/test
    generic.backend: <some value>
    generic.default-context: vault/abc/pqr/test
    token: <security token>
    authentication: approle
    app-role:
      role-id: <role-id>

POM:

<dependency>
        <groupId>org.springframework.cloud</groupId>
        <artifactId>spring-cloud-vault-starter-config</artifactId>
        <version>1.0.0.BUILD-SNAPSHOT</version>
    </dependency>

Please let me know in case any other info is required.

Update

@mp911de, I tried as per your suggestion, however spring-cloud-vault is picking properties set in bootstrap.yml and not one set inside "onApplicationEvent" and thus solution is not working. I tried setting property by "System.setProperty" method but that event didn't worked.

However, if I am setting properties in main before run method, it is working as expected. But I need to load application.properties first (need to pick some configuration from there) and thus don't want to write logic there.

Is there anything wrong in my approach ??

@Component public class LoadVaultProperties implements ApplicationListener<ApplicationEnvironmentPreparedEvent> {
private RestTemplate restTemplate = new RestTemplate();

@Override
public void onApplicationEvent(ApplicationEnvironmentPreparedEvent event) {
    try {
        String roleId = getRoleIdForRole(event); //helper method
        String secretId = getSecretIdForRoleId(event); //helper method

        Properties properties = new Properties();

        properties.put("spring.cloud.vault.app-role.secret-id", secretId);
        properties.put("spring.cloud.vault.app-role.role-id", roleId); 

        event.getEnvironment().getPropertySources().addFirst(new PropertiesPropertySource(
                PropertySourceBootstrapConfiguration.BOOTSTRAP_PROPERTY_SOURCE_NAME, properties));          
    } catch (Exception ex) {
        throw new IllegalStateException(ex);
    }
}

Answer 1

Spring Vault's AppRole authentication supports two modes but not the pull mode:

1. Push mode in which you need to supply the secret_id
2. Authenticating without a secret_id by just passing role_id. This mode requires the role to be created without requiring the secret_id by setting bind_secret_id=false on role creation

Pull mode as mention in the Vault documentation requires the client to know about the secret_id, obtained from a wrapped response. Spring Vault does not fetch a wrapped secret_id but I think that would be a decent enhancement.

Update: Setting system properties before application start:

@SpringBootApplication
public class MyApplication {

    public static void main(String[] args) {

        System.setProperty("spring.cloud.vault.app-role.role-id", "…");
        System.setProperty("spring.cloud.vault.app-role.secret-id", "…");

        SpringApplication.run(MyApplication.class, args);
}

References:

• Vault documentation on AppRole creation
• Spring Cloud Vault documentation on AppRole authentication.