Auto unseal setup with alicloudkms failed

youhuei.ju · October 7, 2022, 6:20pm

Hi,

I’m trying to enable the auto unseal feature with alicloudaws. However, it somehow doesn’t work well. The node keep become standby node instead of being activate master node after I use the unseal migrate command.

Here is the vault config I have

ui = true

api_addr     = "https://{{ instance_hostname }}:8200"

storage "mysql" {
  ha_enabled = "true"
  username = "vault"
  password = "{{ mysql_account_password }}"
  database = "vault"
  address = "{{ alicloud_rds_mysql_hostname }}:3306"
  tls_ca_file = "/srv/vault/cert/rds-combined-ca-bundle.pem"
}

seal "alicloudkms" {
  region     = "cn-shenzhen"
  access_key = "{{ alicloud_access_key }}"
  secret_key = "{{ alicloud_secret_key }}"
  kms_key_id = "{{ kms_instance_id }}"
}

listener "tcp" {
  address       = "{{ instance_hostname }}:8200"
  tls_disable   = 0
  tls_cert_file = "/srv/vault/cert/vault.crt"
  tls_key_file  = "/srv/vault/cert/vault.key"
}

vault version: tried with both 1.8.2 and 1.11.4. None of them working.

I setup two alicould ecs instances for this vault cluster, and it works well without auto unseal. Nevertheless, when I tried to migrate to auto unseal with alicloudkms, I saw this error in the log

2022-10-07T00:11:05.645Z [INFO]  core: unsealing using migration seal
2022-10-07T00:11:05.649Z [INFO]  core.cluster-listener.tcp: starting listener: listener_address=10.51.13.219:8201
2022-10-07T00:11:05.649Z [INFO]  core.cluster-listener: serving cluster requests: cluster_listen_address=10.51.13.219:8201
2022-10-07T00:11:05.649Z [INFO]  core: vault is unsealed
2022-10-07T00:11:05.649Z [INFO]  core: entering standby mode
2022-10-07T00:11:05.670Z [INFO]  core: acquired lock, enabling active operation
2022-10-07T00:11:05.673Z [INFO]  core: seal migration initiated
2022-10-07T00:11:05.673Z [INFO]  core: migrating from shamir to auto-unseal: to=alicloudkms
2022-10-07T00:11:05.679Z [ERROR] core: seal migration error:
  error=
  | error setting new recovery key information: failed to encrypt keys for storage: error encrypting data: SDK.ServerError
  | ErrorCode: UnsupportedOperation
  | Recommend: 
  | RequestId: 25c44410-ac47-4f77-9258-60d5ed43145a
  | Message: This action is not supported.
  
2022-10-07T00:11:05.679Z [WARN]  core: vault is sealed

Any idea what might cause this?

Thanks in advanced.

youhuei.ju · October 11, 2022, 2:33am

after talking with alicloud support, it looks like they provide two types of KMS. one is called “KMS”, which is the previous one they provided, and another one is called “dedicated KMS”, which is the new product they have.
For the old user that already using “KMS” before, alicloud will keep supporting them to use this service, but they also can choose to use “dedicated KMS”. While for the new users, like me, only can use “dedicated KMS”. And the vault alicloudkms auto unseal is using “KMS” api instead of “dedicated KMS” API. That’s why I got the error message “UnsupportedOperation”.

ref: [Upgrade Announcement] KMS is upgraded to Dedicated KMS - Key Management Service - Alibaba Cloud Documentation Center

Any suggestion for this kind of situation? like should I create a feature ticket? a bug ticket? and just wait then?