AWS EKS Auto Unseal

tirelibirefe · November 18, 2021, 10:22am

In order to accomplish auto-unseal issue on aws-eks, is it enough to do tasks under the topic or also are there other KMS related tasks must be completed?

      seal "awskms" {
        region     = "KMS_REGION_HERE"
        kms_key_id = "KMS_KEY_ID_HERE"
      }

Also, regarding to the config example, which one of following partitions is correct? Which one should I put into helm values file?

kubectl create secret -n vault generic eks-creds \
	--from-literal=AWS_ACCESS_KEY_ID=KIAX2SHTCUHNRYKJLKJG\
--from-literal=AWS_SECRET_ACCESS_KEY=asdfaDuhg847th23414dfad

(1)

  extraSecretEnvironmentVars:
    - envName: AWS_ACCESS_KEY_ID
      secretName: eks-creds
      secretKey: AWS_ACCESS_KEY_ID
    - envName: AWS_SECRET_ACCESS_KEY
      secretName: eks-creds
      secretKey: AWS_SECRET_ACCESS_KEY

(2)

  extraSecretEnvironmentVars:
    - envName: AWS_ACCESS_KEY_ID
      secretName: eks-creds
      secretKey: KIAX2SHTCUHNRYKJLKJG
    - envName: AWS_SECRET_ACCESS_KEY
      secretName: eks-creds
      secretKey: asdfaDuhg847th23414dfad

(3)

  extraSecretEnvironmentVars:
    - envName: KIAX2SHTCUHNRYKJLKJG
      secretName: eks-creds
      secretKey: KIAX2SHTCUHNRYKJLKJG
    - envName: asdfaDuhg847th23414dfad
      secretName: eks-creds
      secretKey: asdfaDuhg847th23414dfad

Could you please advise, I’ll be very appreciated.

Thanks & Reagrds

aram · November 18, 2021, 10:27am

You need to actually do the key migration itself before you point your Vault at a KMS key.

The first example seems like the right one, it would sort of defeating the purpose of a secret if you had to put the secret itself into your values.yaml file.

tirelibirefe · November 18, 2021, 10:42am

Sorry, I didn’t understand, what is key migration? Is there any documentation, precudure or a receipt for it?

tirelibirefe · November 18, 2021, 10:46am

Also, where/how can I get vault-helm-unseal-key ? I think I should define something there before getting vault-helm-unseal-key.

aram · November 18, 2021, 10:53am

aram · November 18, 2021, 10:54am

You get your unseal key when you initialize your cluster.

tirelibirefe · November 18, 2021, 11:02am

Why do I need to migrate things before installation? I haven’t installed anything yet.
If there is already migrated copy of installation, I prefer to start from there.

tirelibirefe · November 18, 2021, 11:05am

…but to initialize the cluster, I need to install Vault. In order to install Vault I need to define the key in values.yaml file, don’t I ?

Error parsing Seal configuration: error fetching AWS KMS wrapping key information: RequestError: send request failed
caused by: Post "https://vpce-0e1bb1852241f8cc6-pzi0do8n.kms.us-east-1.vpce.amazonaws.com/": dial tcp: lookup vpce-0e1bb1852241f8cc6-pzi0do8n.kms.us-east-1.vpce.amazonaws.com on 10.100.0.10:53: no such host

aram · November 18, 2021, 3:59pm

You can do it either way, you deploy the cluster, manually initialize it (you can have the aws id/secret in your config) if you do then it’ll automatically use the KMS for the key. If you init using shamir then you need to do a key migration after.

tirelibirefe · November 18, 2021, 5:10pm

Hello @aram
Thanks for your answer and advises but I think I couldn’t have explained my concern.

How can I fill these fields during deploying cluster? How can I complete the installation without fill these fields?

Topic		Replies	Views
Awskms for auto unseal implementation Vault	0	251	November 8, 2022
Auto Unseal with AWS KMS - access_key and secret_key Vault	4	638	August 16, 2023
About aws auto unseal account - which permissions are needed? Vault	2	349	November 18, 2021
AWS KMS not working for standalone mode Vault	3	247	June 9, 2022
Vault's auto unseal behaviour when we change the KMS ID (Auto Unseal with KMS) Vault k8s , vault	3	525	April 4, 2022

AWS EKS Auto Unseal

Related topics