Quico/vault-config
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

feat(docs): Explain AWS KMS auto-unseal

Browse Source
This commit is contained in:
hygienic-books 2025-02-04 03:12:48 +01:00
parent 6e0313a7b0
commit 857ebf865f
1 changed files with 10 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
README.md
View File

@ -317,7 +317,7 @@ The setup roughly goes like so:
* (Re-)Start Vault daemon
* Via CLI migrate unseal mechanism to AWS KMS
One way to configure Vault to do AWS KMS auto-unsealing is to specify the following environment variables. All but the fifth one (`VAULT_SEAL_TYPE=awskms`) depend on the KMS key you created so fill in the blanks with your specific key material. We're assuming that you have a Vault instance running with Docker Compose or a similar mechanism, we'll leave the implementation details to you for how to get these five environment variables into your Vault instance.
One way to configure Vault to do AWS KMS auto-unsealing is to specify the following environment variables. All but the fifth one (`VAULT_SEAL_TYPE=awskms`) depend on the KMS key you created so fill in the blanks with your specific key material. We're assuming that you have a Vault instance running with Docker Compose or a similar mechanism, we'll leave the implementation details to you for how to get these five environment variables into your Vault instance. Note that `VAULT_AWSKMS_SEAL_KEY_ID` is the key's Amazon Resource Name.
```
AWS_ACCESS_KEY_ID=
@ -388,7 +388,15 @@ In its log output Vault will indicate that seal migration is complete. That's al
#### Migrate back to Shamir unseal keys
Once a Vault instance is configured to auto-unseal with AWS KMS or any other key management provider Vault will not ever unseal via any other mechanism. If you lose Internet connectivity to AWS or the key gets deleted at AWS your Vault instance will remain locked. Your way out in this case is to migrate back to Shamir unseal keys. We'll assume that you're running Vault with Docker Compose and that you have environment variables set like so:
Once a Vault instance is configured to auto-unseal with AWS KMS or any other key management provider Vault will not ever unseal via any other mechanism. If you lose Internet connectivity to AWS or the key gets deleted at AWS your Vault instance will remain locked. Your way out in this case is to migrate back to Shamir unseal keys.
The setup roughly goes like so:
* Configure Vault to **_not_** use AWS KMS
* (Re-)Start Vault daemon
* Via CLI migrate unseal mechanism to Shamir unseal keys
We'll assume that you're running Vault with Docker Compose and that you have environment variables set like so, obviously with real values instead of blanks:
```
AWS_ACCESS_KEY_ID=