Consul ACL Token is not available with Config Data API when using consul with vault (consul backend).

[krisiye]

I am using vault and consul for secret management and service configuration respectively. It is quite common to use consul ACL in a production environment and to be managing consul ACL tokens with the Vault Consul backend.

Sample application yaml configuration With spring boot's config data api:

spring:
  config:
    import: consul://,vault://

Verified that the import order should be reversed so that consul could be loaded after vault. However that does not help with the acl token being available to the config data loader as the consul config data loader and its dependencies such as ConsulConfigProperties are initialized by the ConfigDataImporter (resolve) before they are loaded.

Sample error logs that show the acl set to null:

17:35:24.089 [main] DEBUG org.springframework.boot.diagnostics.LoggingFailureAnalysisReporter - Application failed to start due to an exception
org.springframework.boot.context.config.ConfigDataResourceNotFoundException: Config data resource '[ConsulConfigDataResource@c667f46 context = 'local/spring-boot-example/spring-boot-example,local.properties', optional = true, properties = [ConsulConfigProperties@51bd8b5c enabled = true, prefix = 'local/spring-boot-example', defaultContext = 'application', profileSeparator = ',', format = FILES, dataKey = 'data', aclToken = [null], watch = [ConsulConfigProperties.Watch@7b50df34 waitTime = 55, enabled = true, delay = 1000], failFast = true, name = 'spring-boot-example', consulToken = [null], consulAclToken = [null]]]' via location 'consul://' cannot be found
	at org.springframework.boot.context.config.ConfigDataResourceNotFoundException.withLocation(ConfigDataResourceNotFoundException.java:97)
	at org.springframework.boot.context.config.ConfigDataImporter.handle(ConfigDataImporter.java:133)
	at org.springframework.boot.context.config.ConfigDataImporter.load(ConfigDataImporter.java:124)
	at org.springframework.boot.context.config.ConfigDataImporter.resolveAndLoad(ConfigDataImporter.java:82)
	at org.springframework.boot.context.config.ConfigDataEnvironmentContributors.withProcessedImports(ConfigDataEnvironmentContributors.java:121)
	at org.springframework.boot.context.config.ConfigDataEnvironment.processWithProfiles(ConfigDataEnvironment.java:310)
	at org.springframework.boot.context.config.ConfigDataEnvironment.processAndApply(ConfigDataEnvironment.java:235)
	at org.springframework.boot.context.config.ConfigDataEnvironmentPostProcessor.postProcessEnvironment(ConfigDataEnvironmentPostProcessor.java:97)
	at org.springframework.boot.context.config.ConfigDataEnvironmentPostProcessor.postProcessEnvironment(ConfigDataEnvironmentPostProcessor.java:89)
	at org.springframework.boot.env.EnvironmentPostProcessorApplicationListener.onApplicationEnvironmentPreparedEvent(EnvironmentPostProcessorApplicationListener.java:100)
	at org.springframework.boot.env.EnvironmentPostProcessorApplicationListener.onApplicationEvent(EnvironmentPostProcessorApplicationListener.java:86)
	at org.springframework.context.event.SimpleApplicationEventMulticaster.doInvokeListener(SimpleApplicationEventMulticaster.java:176)
	at org.springframework.context.event.SimpleApplicationEventMulticaster.invokeListener(SimpleApplicationEventMulticaster.java:169)
	at org.springframework.context.event.SimpleApplicationEventMulticaster.multicastEvent(SimpleApplicationEventMulticaster.java:143)
	at org.springframework.context.event.SimpleApplicationEventMulticaster.multicastEvent(SimpleApplicationEventMulticaster.java:131)
	at org.springframework.boot.context.event.EventPublishingRunListener.environmentPrepared(EventPublishingRunListener.java:82)
	at org.springframework.boot.SpringApplicationRunListeners.lambda$environmentPrepared$2(SpringApplicationRunListeners.java:63)
	at java.base/java.util.ArrayList.forEach(ArrayList.java:1511)
	at org.springframework.boot.SpringApplicationRunListeners.doWithListeners(SpringApplicationRunListeners.java:117)
	at org.springframework.boot.SpringApplicationRunListeners.doWithListeners(SpringApplicationRunListeners.java:111)
	at org.springframework.boot.SpringApplicationRunListeners.environmentPrepared(SpringApplicationRunListeners.java:62)
	at org.springframework.boot.SpringApplication.prepareEnvironment(SpringApplication.java:362)
	at org.springframework.boot.SpringApplication.run(SpringApplication.java:320)
	at com.hmhco.example.springboot.Application.main(Application.java:21)
	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:64)
	at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.base/java.lang.reflect.Method.invoke(Method.java:564)
	at org.springframework.boot.loader.MainMethodRunner.run(MainMethodRunner.java:49)
	at org.springframework.boot.loader.Launcher.launch(Launcher.java:107)
	at org.springframework.boot.loader.Launcher.launch(Launcher.java:58)
	at org.springframework.boot.loader.JarLauncher.main(JarLauncher.java:88)
Caused by: org.springframework.cloud.consul.config.ConsulPropertySources$PropertySourceNotFoundException: OperationException{statusCode=403, statusMessage='Forbidden', statusContent='Permission denied'}

Note: With legacy bootstrap, there is a workaround documented here (this does not apply to config data api) - https://gist.github.com/mp911de/17f550ffecdc9e8f22061bfdf896bbb4

Test Case Provided here:

https://github.com/krisiye/sb-issue-25705

[caponord]

Does anybody have a workaround or know when this feature will be implemented?
The problem still exists in these versions:
springboot: "2.5.2",
spring_cloud_consul: "3.0.3",
spring_cloud_vault: "3.0.3"

[holyCowMp3]

Confirmed in our case.
Did anyone have a workaround for using vault alongside consul as config source?
Vault creates aclToken for Consul, but it is not used during fetching config from consul:// source

spring:
  config:
    import: consul://

[krisiye]

No workarounds at the moment on my end. Continuing to use bootstrap for now until this can be resolved on spring boot.

[philwebb]

It's not clear exactly what changes (if any) are needed to Spring Boot to support Vault and Consul together. I've duplicated this issue at spring-cloud/spring-cloud-vault#607 since this we really need input from the Spring Cloud team. We can reopen this issue if concrete API changes are needed on our side.