Spring-cloud-config: Encrypted values in /env endpoint

Created on 4 Aug 2017  路  2Comments  路  Source: spring-cloud/spring-cloud-config

We use spring cloud config as configuration tool. We store passwords and other sensitive things in the config git repository. We encrypt the config using Spring /encrypt endpoint and put the values in config.

There is an endpoint /env which returns all the properties. The problem here is, the values which are encrypted returned as plain text. Is there a way, we make the endpoint to return encrypted value instead of plain text?

Based on the suggestion from stackoverflow, we have added the property spring.cloud.config.server.encrypt.enabled=false. But still, the /env returns the decrypted value.

Most helpful comment

/env actually comes from spring-boot (spring-cloud adds the ability to POST). You can set endpoints.configprops.keys-to-sanitize to whatever pattern you need. The default is password,secret,key,token,.*credentials.*,vcap_services # Keys that should be sanitized. Keys can be simple strings that the property ends with or regex expressions.

All 2 comments

The /env endpoint is an actuator endpoint added by Spring Cloud Config. You should take the usual steps to secure the actuator endpoints so as not to allow unwanted access. https://docs.spring.io/spring-boot/docs/current/reference/html/production-ready-monitoring.html#production-ready-sensitive-endpoints

/env actually comes from spring-boot (spring-cloud adds the ability to POST). You can set endpoints.configprops.keys-to-sanitize to whatever pattern you need. The default is password,secret,key,token,.*credentials.*,vcap_services # Keys that should be sanitized. Keys can be simple strings that the property ends with or regex expressions.

Was this page helpful?
0 / 5 - 0 ratings