How to fix "Vault location [kv/my-client-service] not resolvable: Not found" when I am trying to connect HashiCorp Vault using AWS IAM role?

Question

I have been using HashiCorp Vault for six months now where my all the secrets from the configuration service. I was connecting all my client services using spring.cloud.config.token but the problem came when the vault token expires every 30 days or so. For lower environment, token expiry is acceptable as we can redeploy again and again but PRODUCTION, we cannot redeploy. Hence, it was decided that using AWS IAM role, one can connect to vault and there wont be any expiration.

I have followed this official link but I am facing the below issue when I am starting the application.

I have googled about it but didn't get a working solution.

I am using the below code in bootstrap.yml file in my client service (my-client-service)

bootstrap.yml

spring:
  application:
    name: my-client-service
  cloud:
    config:
      enabled: true
      uri:  'https://localhost:8080' 
    vault:
      enabled: true
      uri: 'https://localhost:8090'
      port: 443
      scheme: https
      namespace: 'vault-namespace/aus'
      authentication: AWS_IAM
      fail-fast: true
      aws-iam:
        role: aus-vault-role
        aws-path: aws
      generic:
        enabled: true
        backend: kv
        profile-separator: '/'
        default-context: my-client-service
        application-name: my-client-service
      config:
        order: -1000

Vault Authentication ARN to AWS

vault write auth/aws/config/sts/<account_number> sts_role=arn:aws:iam::<account_number>:role/role_name

Associate ARN to Vault Policies

I created a IAM Role for the same account that is mapped for a Vault role and policy and mapped each IAM Role to a Vault role and policy.

vault write auth/aws/role/<Vault Role> auth_type=iam \
              bound_iam_principal_arn=<Your AWS Role ARN> policies=<Vault policy list> max_ttl=500h

Am I missing anything? It would be great if I find any solutions to this issue. Thanks in advance!

Answer 1

I fixed this issue after updating my vault policy with the below configuration:

path "kv/*"
{
  capabilities = [ "read", "list"]
}

I was able to start my application with the vault properties getting fetched.

Answer 2

I think the policy update in your case is apt:

path "kv/*"
{
  capabilities = [ "read", "list"]
}

Direct it to the correct path of your secrets will resolve your issue.