当我尝试使用 AWS IAM 角色连接 HashiCorp Vault 时,如何修复“Vault location [kv/my-client-service] not resolvable: Not found”?
[英]How to fix “Vault location [kv/my-client-service] not resolvable: Not found” when I am trying to connect HashiCorp Vault using AWS IAM role?
问题描述
I have been using HashiCorp Vault for six months now where my all the secrets from the configuration service.
我已经使用 HashiCorp Vault 六个月了,我的所有秘密都来自配置服务。 I was connecting all my client services using spring.cloud.config.token but the problem came when the vault token expires every 30 days or so.我正在使用spring.cloud.config.token连接我的所有客户端服务,但是当保管库令牌每 30 天左右过期时,问题就出现了。 For lower environment, token expiry is acceptable as we can redeploy again and again but PRODUCTION, we cannot redeploy.对于较低的环境,令牌到期是可以接受的,因为我们可以一次又一次地重新部署,但生产,我们不能重新部署。 Hence, it was decided that using AWS IAM role, one can connect to vault and there wont be any expiration.因此,决定使用 AWS IAM 角色,可以连接到保险库并且不会有任何过期。
I have followed this official link but I am facing the below issue when I am starting the application.我已关注此官方链接,但在启动应用程序时遇到以下问题。
I have googled about it but didn't get a working solution.我已经用谷歌搜索了它,但没有得到有效的解决方案。
I am using the below code in bootstrap.yml file in my client service (my-client-service)我在客户端服务(my-client-service)的 bootstrap.yml 文件中使用以下代码
bootstrap.yml引导程序.yml
spring:
application:
name: my-client-service
cloud:
config:
enabled: true
uri: 'https://localhost:8080'
vault:
enabled: true
uri: 'https://localhost:8090'
port: 443
scheme: https
namespace: 'vault-namespace/aus'
authentication: AWS_IAM
fail-fast: true
aws-iam:
role: aus-vault-role
aws-path: aws
generic:
enabled: true
backend: kv
profile-separator: '/'
default-context: my-client-service
application-name: my-client-service
config:
order: -1000
Vault Authentication ARN to AWS到 AWS 的保险柜身份验证 ARN
vault write auth/aws/config/sts/<account_number> sts_role=arn:aws:iam::<account_number>:role/role_name
Associate ARN to Vault Policies将 ARN 与保险库策略相关联
I created a IAM Role for the same account that is mapped for a Vault role and policy and mapped each IAM Role to a Vault role and policy.我为同一个账户创建了一个 IAM 角色,该账户映射了一个保管库角色和策略,并将每个 IAM 角色映射到一个保管库角色和策略。
vault write auth/aws/role/<Vault Role> auth_type=iam \
bound_iam_principal_arn=<Your AWS Role ARN> policies=<Vault policy list> max_ttl=500h
Am I missing anything?我错过了什么吗? It would be great if I find any solutions to this issue.如果我能找到这个问题的任何解决方案,那就太好了。 Thanks in advance!提前致谢!
2 个解决方案
解决方案1
4 已采纳 2020-06-26 13:01:25
I fixed this issue after updating my vault policy with the below configuration:在使用以下配置更新我的保管库策略后,我修复了此问题:
path "kv/*"
{
capabilities = [ "read", "list"]
}
I was able to start my application with the vault properties getting fetched.我能够通过获取保险库属性来启动我的应用程序。
解决方案2
2 2020-06-29 05:30:24
I think the policy update in your case is apt:我认为您的政策更新很恰当:
path "kv/*"
{
capabilities = [ "read", "list"]
}
Direct it to the correct path of your secrets will resolve your issue.将其指向您的秘密的正确路径将解决您的问题。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.