From 3fd08533fc7851a1bbeea2e7bbfb6771522019ee Mon Sep 17 00:00:00 2001 From: hygienic-books Date: Tue, 4 Feb 2025 00:52:28 +0100 Subject: [PATCH] feat(hashicorpvault): Use AWS KMS to unseal --- compose.yaml | 5 +++++ env/fqdn_context.env.example | 6 +++++- 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/compose.yaml b/compose.yaml index cde2619..ece172b 100644 --- a/compose.yaml +++ b/compose.yaml @@ -25,6 +25,11 @@ services: VAULT_LOCAL_CONFIG: ${VAULT_LOCAL_CONFIG} VAULT_DEV_ROOT_TOKEN_ID: ${VAULT_DEV_ROOT_TOKEN_ID} VAULT_DEV_LISTEN_ADDRESS: ${VAULT_DEV_LISTEN_ADDRESS} + AWS_ACCESS_KEY_ID: ${AWS_ACCESS_KEY_ID:-} + AWS_REGION: ${AWS_REGION:-} + AWS_SECRET_ACCESS_KEY: ${AWS_SECRET_ACCESS_KEY:-} + VAULT_AWSKMS_SEAL_KEY_ID: ${VAULT_AWSKMS_SEAL_KEY_ID:-} + VAULT_SEAL_TYPE: ${VAULT_SEAL_TYPE:-} entrypoint: vault server -config=/vault/config/vault.hcl networks: # Variables are not supported in keys, only in values. diff --git a/env/fqdn_context.env.example b/env/fqdn_context.env.example index ca5ff24..9350679 100644 --- a/env/fqdn_context.env.example +++ b/env/fqdn_context.env.example @@ -8,7 +8,11 @@ HASHICORPVAULT_VERSION=latest VAULT_DEV_ROOT_TOKEN_ID=your-root-token-here VAULT_DEV_LISTEN_ADDRESS=0.0.0.0:1234 VAULT_LOCAL_CONFIG={"backend": {"file": {"path": "/vault/file"}}, "default_lease_ttl": "168h", "max_lease_ttl": "720h"} - +# AWS_ACCESS_KEY_ID= +# AWS_REGION= +# AWS_SECRET_ACCESS_KEY= +# VAULT_AWSKMS_SEAL_KEY_ID= +# VAULT_SEAL_TYPE=awskms # Feel free to leave defaults. They apply while these vars are commented out