spring-boot kubernetes hashicorp-vault spring-cloud-vault-config

Getting permission denied error while trying to access any vault secret engines using Spring boot application on kubernetes

I built a spring boot application and deployed it on kuberenetes along with vault access. When i try to access vault secret engine (any kv,secret, etc..,) using kuberenets role, getting permission denied error.

Just FYI i am able to access vault service and extract data from app pod.

my application yaml

spring:
  config:
    import: vault://
  cloud:
    vault:
      config.lifecycle:
        enabled: true
        min-renewal: 100s
        expiry-threshold: 300s
      uri: http://vault.vault:8200
      authentication: kubernetes
      kubernetes:
        role: simple-test
      generic:
        enabled: false
      kv:
        enabled: true
        backend: kv
        profile-separator: /
        application-name: my-app
    kubernetes:
      secrets:
        enabled: true
        namespace: app
        fail-fast: true
        retry:
          enabled: true

deployment yaml

apiVersion: apps/v1
kind: Deployment
metadata:
  name: spring-vault-write
  labels:
    app: spring-vault-write
spec:
  replicas: 3
  selector:
    matchLabels:
      app: spring-vault-write
  template:
    metadata:
      name: spring-vault-write
      labels:
        app: spring-vault-write
    spec:
      imagePullSecrets:
        - name: registry-secret
      containers:
        - name: spring-vault-write
          image: xxxxdocker629/spring-vault-write:latest
          imagePullPolicy: Always

          ports:
            - containerPort: 80
              protocol: TCP
      restartPolicy: Always

My controller (my-app is under kv2 secret engine and it has data.key and data.password entries)

@RestController
@RequestMapping("/api")
public class SpringVaultWriterController {
    Logger logger = LogManager.getLogger(SpringVaultWriterController.class);

    @Value("${data.key}")
    private String username;

    @Value("${data.password}")
    private String password;
    @GetMapping("/secrets")
    public String getList(){

        logger.info("get list is : ", username + " ::  " + password);

        return "we got the list as : List";
    }
}

attached policy to the kubernetes role.

path "kv/data/my-app" {
  capabilities = [ "create", "read", "update", "list" ]
}

Can someone help me where i am going wrong or any fix for this?

Based on my observation, i see that the token under /var/run/secrets/kubernetes.io/serviceaccount/token is different in the app pod and the vault. Is this the root cause of the issue?

Solution

I am able to fix the issue by my-self. It's not the token but the vault path was causing the issue. Let's say if the path is secret/path1/id under that if we have key-value pairs then we should specify as below in application properties or yaml.

kv:
    enabled: true
    backend: secret
    profile-separator: /
    default-context: path1 
    application-name:id1

Hope this helps for others