2

I am using default token authentication method for vault. Also integrating vault with spring cloud config server in spring boot application. Root token has super user access which enables to read/write secrets for application but I need to create a non root token which only login to vault and does not read/write any secrets. So that vault is not enforced and application start up with vault. When user wants to use vault specifically, he can provide his own token and access secrets.

With default policy, token created, logins through vault cli but not through spring boot application, gives 403 forbidden. I created my own policy which includes different capabilities for auth paths and no secret path in it. Token created with this policy, again, logins successfully through cli but not through code. If I give secret path with read capabilities(only read works) in my policy then I am able to login through code as well but then secret reading is enabled.

I just want to use non root vault token as login token. Is is achievable without providing secret path in vault policy?

esha ingle
  • 163
  • 1
  • 3
  • 18

1 Answers1

1

This is something that I haven't tried yet, but I have worked with restricting for read access for non-root tokens.

You can create a policy with deny capability like below :

$cat auth-policy.hcl 
path "secret/*" {
  capabilities = ["deny"]
}


vault policy write client-access auth-policy.hcl                         
Success! Uploaded policy: client-access

Here are the different capabilities defined for Vault policies - https://www.vaultproject.io/docs/concepts/policies.html#capabilities.

vault token create -policy=client-access -period=768h                                    

Key                Value                                                        
---                -----                                                        
token              *********************                         
token_accessor     *********************                         
token_duration     768h                                                         
token_renewable    true                                                         
token_policies     [client-access default]

This creates a token that is valid for 768 hours, which is max by default. If you want to configure more time for new tokens, configure max_lease_ttl and default_lease_ttl accordingly in your base config.hcl

$cat config.hcl
disable_mlock =  true
storage "postgresql" {
    connection_url =  "postgres://vault:vault@postgresql:5432/postgres?sslmode=disable"
}   
listener "tcp" {    
    address =  "0.0.0.0:8200" 
    tls_disable =  1
}
max_lease_ttl = "7200h"
default_lease_ttl = "7200h"

Hope this helps!

Here_2_learn
  • 5,013
  • 15
  • 50
  • 68
  • I tried with deny as well. Login works with vault cli/UI but it throws same 403 forbidden error via code. – esha ingle May 15 '19 at 12:26
  • Two things 1) I believe your code might be trying to access the secrets(as spring client tries to read from vault ), hence forbidden. 2) what is the use case for login and don't need to read? – Here_2_learn May 15 '19 at 14:07
  • Use case be like, Vault integration is provided with spring cloud config server making it accessible for 2 spring profiles : git & vault. So when using any random application with above support(one unaware of vault), secrets are accessible. This should not be the case, hence I want to use non root token in integration itself with will have no access to secrets. – esha ingle May 16 '19 at 05:22
  • any random application accessing secrets? not possible. As vault provides secrets to apps only if the application name and profile matches(configured in the bootstrap file, as you are using spring config server) with that of secrets/paths configured in Vault – Here_2_learn May 16 '19 at 05:49
  • yes, with application name provided. So in this case, we need to provide read capabilities in policy to bypass this forbidden error? – esha ingle May 16 '19 at 06:12
  • yes, the capability should be "read" to resolve the forbidden error. – Here_2_learn May 16 '19 at 06:16
  • ok thanks. We can conclude that with spring cloud config server, we need to provide default "read" for vault integration. – esha ingle May 16 '19 at 06:23
  • Yeah, that true. – Here_2_learn May 16 '19 at 06:47