spring-bootspring-cloudspring-cloud-vault-config

Spring Cloud Vault - Best place to store the Secret-Id and Role-Id


I am using Spring Cloud Vault Library to access my Secrets from the Vault server.

Currently I am storing all the parameters, such as role-id, secret-id, host, port, etc..., as Environment Variables and then injecting that in to my bootstrap.yml of my Spring-boot App. Below is my YAML file

spring:
 cloud:
    vault:
      authentication: APPROLE
      app-role:
        role-id: ${role-id}
        secret-id: ${secret-id}
      host: ${host}
      port: ${port}
      scheme: ${scheme}

Where I am stuck is with Managing the Vault's Role-Id & Secret-Id. Obviously, Vault is no good at protecting our secrets if people can easily get their hands on these 2 pieces of information – they are indeed secrets themselves.

What is the Industry best practice to have Role-Id and Secret-Id protected ? We already brainstormed ideas like storing-in-config-server, storing-in-environment-variable, storing-in-cloudfoundry-UPS ..

Nevertheless we would like to understand the best practice on this ..


Solution

  • I faced to the same problem and here's what you can do. First of all, application should have defined own system user and it should be launched as that user. Then in the same directory as your jar/war file you can make bootstrap.properties file containing:

    spring.cloud.vault.app-role.secret-id=*your-secret-for-role-id*
    

    Here's ls output example:

    -rw-------. 1 app app bootstrap.properties
    -rwxr--r--. 1 app app app.jar
    

    Application user has to be an owner of this properties file and only he should be permited to read bootstrap.properties. This protects your secret from unauthorized access unless you have root or application user permissions.