vault in spring return Status 403 Forbidden [secret/data/inquiry]: 1 error occurred: * permission denied

Question

when I send curl request to vault server, everything works fine

curl --request PUT --header "X-Vault-Token:..." -k --data @db.json https://localhost:8200/v1/secret/data/inquiry/dev/db

vault return:

 {"request_id":"7d4497af-9468-0086-e6ea-45b3d49d220b","lease_id":"","renewable":false,"lease_duration":0,"data":{"data":{"password":"","user":""},"metadata":{"created_time":"2020-06-27T10:25:57.5135125Z","deletion_time":"","destroyed":false,"version":2}},"wrap_info":null,"warnings":null,"auth":null}

in spring my bootstrap.yml is:

spring:
  cloud:
    vault:
      generic:
        enabled: false
      host: localhost
      port: 8200
      scheme: https
      uri: https://development:8200
      connection-timeout: 5000
      read-timeout: 15000
      config:
        order: -10
      token: my-token
      kv:
        enabled: true
        backend: secret
        profile-separator: '/'
        application-name: inquiry
        default-context: inquiry
        backend-version: 2

and my application.yml

spring:
  application:
    name: inquiry
  profiles:
    active: dev

but it returns 403 error

 [RequestedSecret [path='secret/inquiry', mode=ROTATE]] Lease [leaseId='null', leaseDuration=PT0S, renewable=false] Status 403 Forbidden [secret/data/inquiry]: 1 error occurred:
        * permission denied

; nested exception is org.springframework.web.client.HttpClientErrorException$Forbidden: 403 Forbidden: [{"errors":["1 error occurred:\n\t* permission denied\n\n"]}
]

how can I solve it.thanks

Answer 1

Look at your curl command :

curl --request PUT --header "X-Vault-Token:..." -k 

You passed the -k flag (alias for --insecure) that means "insecure SSL" or simply said : no checks for the certificate.
With Spring Boot, you don't pass that option (I don't even think that such an option exists).
So it is rather expected that the behavior may differ since the https protocol is used for secure communication and Spring Vault (like most of https client) honors that.
Remove the -k option of curl and you should probably get a response error.

To solve your issue, you should update your spring boot application to use the certificate produced by Vault.

The spring cloud vault states :

The cert auth backend allows authentication using SSL/TLS client certificates that are either signed by a CA or self-signed.

To enable cert authentication you need to :

Use SSL, see Vault Client SSL configuration

Configure a Java Keystore that contains the client certificate and the private key

Set the spring.cloud.vault.authentication to CERT

And update your spring conf :

spring.cloud.vault:
    authentication: CERT
    ssl:
        key-store: classpath:keystore.jks
        key-store-password: changeit
        cert-auth-path: cert

Answer 2

I add secret/ path to my policy and everything now is fine. in my previous policy, I just guaranteed to secret/inquiry/* path and I didn't know it does not mean it has access to its parent path (secret/)