Vault:1.4.3 can not start with KMS auto unseal with IAM Role #9568
Comments
|
Hi. Possibly the same as #8844? Note the comments at the end of that discussion. |
|
Looks like it has the same source |
|
I also encountered this issue and wasn't able to figure out what was going on until we set Anyhow, my issue turned out to be a problem w/ the role -- I had it scoped to the wrong namespace. Although I'd be interested in knowing if anyone else suddenly starts seeing error logs if they set |
|
@yevgeniyo Have you tried setting the environment variable Otherwise you may be running into an issue with docker and IMDSv2:
So you might try increasing the hop count for the underlying ec2 instances if you can. |
and others
Describe the bug
With version 1.4.3 KMS auto unsealing with IAM Role is not working
Vault service is not starting at all, no output
/vault/logs # vault server -config=/vault/config/
^C
To Reproduce
Steps to reproduce the behavior:
Run vault 1.4.3 on docker with config:
"seal": {
"awskms": {
"region": "your region",
"kms_key_id": "your key"
}
}
Check logs
Vault server configuration file(s):
{ "backend": { "mysql": { "address": "", "username": "", "password": "", "database": "", "ha_enabled": "true" } }, "listener": { "tcp":{ "address": "0.0.0.0:8200", "tls_cert_file": "/vault/config/ssl/vault.crt", "tls_key_file": "/vault/config/ssl/vault.key" } }, "ui": true, "log_level": "DEBUG", "seal": { "awskms": { "region": "", "kms_key_id": "" } } }Additional context
Checked the same setup with 1.3.7
All works as expected
The text was updated successfully, but these errors were encountered: