We are moving our Vault from AWS to GCP. I have the Vault on GCP configured with auto-unseal using GCP KMS. I ran the vault migration script, which requires an empty data directory, and it brough over all the secrets and configurations from the old AWS vault (via Consul).
The problem, now Vault won’t start. Apparently, the migration also tried to migrate the AWS KMS keys. The error is:
Error initializing core: cannot seal migrate from “awskms” to “gcpckms”, no disabled seal in configuration
I don’t want the seal to migrate, I want to create new seals using the GCP KMS I already have set up in the config file. How do I get past this error? I can’t start either Vault or a vault dev server. No matter what I try I get seal errors.
Is it possible to re-run the migrate and exclude KMS config values? I’ve been Googling this problem for two days, and apparently there isn’t much out there about migrating from AWS to GCP.
Any help would be appreciated, I am blocked until I can fix it.
Thank you!
Rachel