[英]How to fix “Vault location [kv/my-client-service] not resolvable: Not found” when I am trying to connect HashiCorp Vault using AWS IAM role?
I have been using HashiCorp Vault for six months now where my all the secrets from the configuration service.我已经使用 HashiCorp Vault 六个月了,我的所有秘密都来自配置服务。 I was connecting all my client services using spring.cloud.config.token but the problem came when the vault token expires every 30 days or so.
我正在使用spring.cloud.config.token连接我的所有客户端服务,但是当保管库令牌每 30 天左右过期时,问题就出现了。 For lower environment, token expiry is acceptable as we can redeploy again and again but PRODUCTION, we cannot redeploy.
对于较低的环境,令牌到期是可以接受的,因为我们可以一次又一次地重新部署,但生产,我们不能重新部署。 Hence, it was decided that using AWS IAM role, one can connect to vault and there wont be any expiration.
因此,决定使用 AWS IAM 角色,可以连接到保险库并且不会有任何过期。
I have followed this official link but I am facing the below issue when I am starting the application.我已关注此官方链接,但在启动应用程序时遇到以下问题。
I have googled about it but didn't get a working solution.我已经用谷歌搜索了它,但没有得到有效的解决方案。
I am using the below code in bootstrap.yml file in my client service (my-client-service)我在客户端服务(my-client-service)的 bootstrap.yml 文件中使用以下代码
bootstrap.yml引导程序.yml
spring:
application:
name: my-client-service
cloud:
config:
enabled: true
uri: 'https://localhost:8080'
vault:
enabled: true
uri: 'https://localhost:8090'
port: 443
scheme: https
namespace: 'vault-namespace/aus'
authentication: AWS_IAM
fail-fast: true
aws-iam:
role: aus-vault-role
aws-path: aws
generic:
enabled: true
backend: kv
profile-separator: '/'
default-context: my-client-service
application-name: my-client-service
config:
order: -1000
Vault Authentication ARN to AWS到 AWS 的保险柜身份验证 ARN
vault write auth/aws/config/sts/<account_number> sts_role=arn:aws:iam::<account_number>:role/role_name
Associate ARN to Vault Policies将 ARN 与保险库策略相关联
I created a IAM Role for the same account that is mapped for a Vault role and policy and mapped each IAM Role to a Vault role and policy.我为同一个账户创建了一个 IAM 角色,该账户映射了一个保管库角色和策略,并将每个 IAM 角色映射到一个保管库角色和策略。
vault write auth/aws/role/<Vault Role> auth_type=iam \
bound_iam_principal_arn=<Your AWS Role ARN> policies=<Vault policy list> max_ttl=500h
Am I missing anything?我错过了什么吗? It would be great if I find any solutions to this issue.
如果我能找到这个问题的任何解决方案,那就太好了。 Thanks in advance!
提前致谢!
I fixed this issue after updating my vault policy with the below configuration:在使用以下配置更新我的保管库策略后,我修复了此问题:
path "kv/*"
{
capabilities = [ "read", "list"]
}
I was able to start my application with the vault properties getting fetched.我能够通过获取保险库属性来启动我的应用程序。
I think the policy update in your case is apt:我认为您的政策更新很恰当:
path "kv/*"
{
capabilities = [ "read", "list"]
}
Direct it to the correct path of your secrets will resolve your issue.将其指向您的秘密的正确路径将解决您的问题。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.