Spring Cloud Config Spring-cloud-vault-config-database should not asks vault for secret and asks only database's credentials

Hello,

I have a set of micro-services using Spring Boot. Theses services fetch their configuration from a Spring cloud config server with a git and a vault backend. This works fine, all the service are doing their request to fetch config from the ConfigServer and its the config server that asks Vault for secrets.

Here is my pom at this moment:

<parent>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-parent</artifactId>
        <version>2.5.5</version>
</parent>

<dependencyManagement>
        <dependencies>
            <dependency>
                <groupId>org.springframework.cloud</groupId>
                <artifactId>spring-cloud-dependencies</artifactId>
                <version>2020.0.4</version>
                <type>pom</type>
                <scope>import</scope>
            </dependency>
        </dependencies>
</dependencyManagement>

<dependency>
    <groupId>org.springframework.cloud</groupId>
    <artifactId>spring-cloud-starter-bootstrap</artifactId>
</dependency>
<dependency>
    <groupId>org.springframework.cloud</groupId>
    <artifactId>spring-cloud-starter-config</artifactId>
</dependency>

Now, some services needs to connect to MongoDB and we use Vault to generate the credentials to access to the database. We added the vault config database in the pom:

<dependency>
    <groupId>org.springframework.cloud</groupId>
    <artifactId>spring-cloud-vault-config-databases</artifactId>
</dependency>

But since we added this depencies, the service tries first to fetch its configuration from Vault, failed because he does not have the permissions and then asks the ConfigServer to give him his configuration.

Is there the possibility to use vault config database only for mongo credentials and not to fetch all the configuration ?

Actual step: - Fetch monogdb credentials: success - Fetch properties on Vault: failed because of permission denied - Fetch properties on the ConfigServer: success

I would expect something like that: - Fetch properties on the ConfigServer - Fetch mongodb credentials on Vault

Thanks you !

Comment From: ryanjbaxter

Can you provide a complete, minimal, verifiable sample that reproduces the problem? It should be available as a GitHub (or similar) project or attached to this issue as a zip file.

Not sure if @mp911de has any thoughts

Comment From: mp911de

The only other thing that comes to my mind is considering the import order via spring.config.import. Anything else needs to be explored through a reproducer as mentioned earlier.

Comment From: gh-axel-czarniak

After some research, I found the issue.

spring.cloud.vault.kv is enabled by default thus if we have vault config inside the project it will try to look for secret directly on vault whereas spring.cloud.vault.database is disabled by default and need to be enabled.

I was expecting consistency on the activation of vault feature inside the project but kv seems to be different from others.

Now, in my configuration, kv is disabled and database is enabled and it works like a charms.