Auto Unseal with AWS KMS - access_key and secret_key

I’m working on setting up vault for a small network for use with mysql/percona keyring_vault.

I want to setup auto unseal with AWS KMS. All the instructions indicate adding the 2 environment variables
export AWS_ACCESS_KEY_ID = “<YOUR_AWS_ACCESS_KEY_ID>”
export AWS_SECRET_ACCESS_KEY = “<YOUR_AWS_SECRET_ACCESS_KEY>”

When starting the vault service I get
error fetching AWS KMS wrapping key information: NoCredentialProviders: no valid providers in chain. Deprecated.

If I add the AWS info to the vault.hcl file:
seal “awskms” {
region=region
kms_key_id=keyarn
access_key=YOUR_AWS_ACCESS_KEY_ID
secret_key=YOUR_AWS_SECRET_ACCESS_KEY
}

The auto unseal works. But of course this is not an appropriate configuration.

Where exactly should the access_key_id and secret_access_key be stored so that they are considered secure? Are the environment variables preferred or just used as an example? I do not see how they would help with an auto unseal after a restart.

The goal is upon a system restart - vault service starts, auto unseals with kms and then mysql starts and has access to the vault_keyring.

There was a known bug in Vault 1.14.0 to do with AWS credentials configuration. You should probably revert back to latest 1.13.x until 1.14.1 comes out.

Thanks for the tip. I’ll revert and see how it goes.

As far as the environment variables persisting so that they are available when the vault service starts on reboot. How/where should those be applied?

Reverted to 1.13.4 and still the same thing.

Seems the issue persists in 1.14.1 also.

Does anyone have advice on persisting the AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY across reboot?

I’m not using Terraform, kubernetes, docker etc just single/standalone vault with raft storage for a small project.