spring-bootspring-cloud-confighashicorp-vaultconfigserver

How to use non-root vault token for vault login in spring boot

I am using default token authentication method for vault. Also integrating vault with spring cloud config server in spring boot application. Root token has super user access which enables to read/write secrets for application but I need to create a non root token which only login to vault and does not read/write any secrets. So that vault is not enforced and application start up with vault. When user wants to use vault specifically, he can provide his own token and access secrets.

With default policy, token created, logins through vault cli but not through spring boot application, gives 403 forbidden. I created my own policy which includes different capabilities for auth paths and no secret path in it. Token created with this policy, again, logins successfully through cli but not through code. If I give secret path with read capabilities(only read works) in my policy then I am able to login through code as well but then secret reading is enabled.

I just want to use non root vault token as login token. Is is achievable without providing secret path in vault policy?

Solution

  • This is something that I haven't tried yet, but I have worked with restricting for read access for non-root tokens.

    You can create a policy with deny capability like below :

    $cat auth-policy.hcl 
path "secret/*" {
  capabilities = ["deny"]
}


vault policy write client-access auth-policy.hcl                         
Success! Uploaded policy: client-access

    Here are the different capabilities defined for Vault policies - https://www.vaultproject.io/docs/concepts/policies.html#capabilities.

    vault token create -policy=client-access -period=768h                                    

Key                Value                                                        
---                -----                                                        
token              *********************                         
token_accessor     *********************                         
token_duration     768h                                                         
token_renewable    true                                                         
token_policies     [client-access default]

    This creates a token that is valid for 768 hours, which is max by default. If you want to configure more time for new tokens, configure max_lease_ttl and default_lease_ttl accordingly in your base config.hcl

    $cat config.hcl
disable_mlock =  true
storage "postgresql" {
    connection_url =  "postgres://vault:vault@postgresql:5432/postgres?sslmode=disable"
}   
listener "tcp" {    
    address =  "0.0.0.0:8200" 
    tls_disable =  1
}
max_lease_ttl = "7200h"
default_lease_ttl = "7200h"

    Hope this helps!