[SOLVED] Getting permission denied error while trying to access any vault secret engines using Spring boot application on kubernetes

Getting permission denied error while trying to access any vault secret engines using Spring boot application on kubernetes

I built a spring boot application and deployed it on kuberenetes along with vault access. When i try to access vault secret engine (any kv,secret, etc..,) using kuberenets role, getting permission denied error.

Just FYI i am able to access vault service and extract data from app pod.

my application yaml

spring:
  config:
    import: vault://
  cloud:
    vault:
      config.lifecycle:
        enabled: true
        min-renewal: 100s
        expiry-threshold: 300s
      uri: http://vault.vault:8200
      authentication: kubernetes
      kubernetes:
        role: simple-test
      generic:
        enabled: false
      kv:
        enabled: true
        backend: kv
        profile-separator: /
        application-name: my-app
    kubernetes:
      secrets:
        enabled: true
        namespace: app
        fail-fast: true
        retry:
          enabled: true

deployment yaml

apiVersion: apps/v1
kind: Deployment
metadata:
  name: spring-vault-write
  labels:
    app: spring-vault-write
spec:
  replicas: 3
  selector:
    matchLabels:
      app: spring-vault-write
  template:
    metadata:
      name: spring-vault-write
      labels:
        app: spring-vault-write
    spec:
      imagePullSecrets:
        - name: registry-secret
      containers:
        - name: spring-vault-write
          image: xxxxdocker629/spring-vault-write:latest
          imagePullPolicy: Always

          ports:
            - containerPort: 80
              protocol: TCP
      restartPolicy: Always

My controller (my-app is under kv2 secret engine and it has data.key and data.password entries)

@RestController
@RequestMapping("/api")
public class SpringVaultWriterController {
    Logger logger = LogManager.getLogger(SpringVaultWriterController.class);

    @Value("${data.key}")
    private String username;

    @Value("${data.password}")
    private String password;
    @GetMapping("/secrets")
    public String getList(){

        logger.info("get list is : ", username + " ::  " + password);

        return "we got the list as : List";
    }
}

attached policy to the kubernetes role.

path "kv/data/my-app" {
  capabilities = [ "create", "read", "update", "list" ]
}

Can someone help me where i am going wrong or any fix for this?

Based on my observation, i see that the token under /var/run/secrets/kubernetes.io/serviceaccount/token is different in the app pod and the vault. Is this the root cause of the issue?

Solution

I am able to fix the issue by my-self. It's not the token but the vault path was causing the issue. Let's say if the path is secret/path1/id under that if we have key-value pairs then we should specify as below in application properties or yaml.

kv:
    enabled: true
    backend: secret
    profile-separator: /
    default-context: path1 
    application-name:id1

Hope this helps for others