spring.cloud.vault.kv.profiles does not override the spring active profiles for use in the key-value backend

[PetrivMykola]

Describe the bug

We need to disable spring profiles and override it by spring.cloud.vault.kv.profiles. because it is causing 403 as vault policy does not allow access to spring profiles.

Current spring profiles: api-docs, dev.

Vault policy:

path "secret_kv/data/applicationA/sandbox" {
capabilities = ["list", "read"]
}

Spring yml file:

spring:
config:
import:
- vault://
cloud:
vault:
ssl:
trust-store: ***************
trust-store-type: PEM
host: *************
authentication: APPROLE
port: 8443
application-name: applicationA
kv:
backend: secret_kv
default-context: applicationA
profiles: sandbox
app-role:
role-id: *************
secret-id: ***********
app-role-path: **********
fail-fast: true

Spring log:

15:42:28.767 [restartedMain] ERROR org.springframework.boot.SpringApplication - Application run failed
org.springframework.vault.VaultException: Status 403 Forbidden [secret_kv/data/applicationA/api-docs]: 1 error occurred:
* permission denied

; nested exception is org.springframework.web.client.HttpClientErrorException$Forbidden: 403 Forbidden: [{"errors":["1 error occurred:\n\t* permission denied\n\n"]}
]

It is trying to connect to api-docs which is spring profile and fails due to policy on vault side.

Moreover, seems like the spring.cloud.vault.kv.profiles = sandbox is completely ignored. When I fix the permission to:

path "secret_kv/data/applicationA/sandbox" {
capabilities = ["list", "read"]
}

path "secret_kv/data/applicationA/*" {
capabilities = ["list", "read"]
}

path "secret_kv/data/applicationA" {
capabilities = ["list", "read"]
}

Spring log :

Requesting secrets from Vault at secret_kv/applicationA/api-docs using ROTATE
Vault location [secret_kv/applicationA/api-docs] not resolvable: Not found
Requesting secrets from Vault at secret_kv/applicationA/dev using ROTATE
Requesting secrets from Vault at secret_kv/applicationA using ROTATE
Vault location [secret_kv/applicationA] not resolvable: Not found

It retrieved passwords from secret_kv/applicationA/dev and ignored sandbox.

.
Not sure if this fix works
9bec609
" profiles overrides the active profiles for use in the key-value backend"

Our version:
Manifest-Version: 1.0
Implementation-Title: Spring Cloud Vault Configuration Integration
Implementation-Version: 3.0.2
Build-Jdk-Spec: 1.8
Created-By: Maven Jar Plugin 3.2.0
Implementation-Vendor: Pivotal Software, Inc.

[PetrivMykola]

VaultConfigDataLocationResolver seems overrides the profiles with spring active profiles

private static VaultKeyValueBackendProperties getKeyValueProperties(ConfigDataLocationResolverContext context, Profiles profiles) {
    VaultKeyValueBackendProperties kvProperties = (VaultKeyValueBackendProperties)context.getBinder().bindOrCreate("spring.cloud.vault.kv", VaultKeyValueBackendProperties.class);
    Binder binder = context.getBinder();
    kvProperties.setApplicationName((String)binder.bind("spring.cloud.vault.kv.application-name", String.class).orElseGet(() -> {
        return (String)binder.bind("spring.cloud.vault.application-name", String.class).orElseGet(() -> {
            return (String)binder.bind("spring.application.name", String.class).orElse("");
        });
    }));
    kvProperties.setProfiles(profiles.getActive());  <<< Here
    return kvProperties;
}