Hi everyone,
I’m seeking help with a standalone Vault setup running on Docker Compose. I am trying to implement AWS KMS Auto-Unseal but keep hitting a roadblock.
The Setup:
-
Docker Image:
hashicorp/vault:latest -
Storage:
file -
Seal:
awskms
The Problem: Even after wiping the data directory and using a fresh configuration, the container logs show: error: more than one enabled seal found
Has anyone successfully moved from Shamir to KMS on Docker recently?
—
This is my docker-compose.yml :
version: '3.8'
services:
vault:
image: hashicorp/vault:latest
container_name: vault-prod-single
restart: unless-stopped
ports:
- "8200:8200"
cap_add:
- IPC_LOCK
environment:
VAULT_CACERT: "/vault/certs/ca.crt"
VAULT_ADDR: "https://vault.local:8200"
volumes:
# Mapping to your actual folder names
- ./vault-config/vault-config.hcl:/vault/config/vault.hcl:ro
- ./vault-certs:/vault/certs:ro
- ./vault-data:/vault/data
command: ["server", "-config=/vault/config/vault.hcl"]
This is my vault-config.hcl :
ui = true
api_addr = “https://vault.local:8200”
disable_mlock = true
storage “file” {
path = “/vault/data”
}
seal “awskms” {
region = “ap-***-”
access_key = “"
secret_key = "”
kms_key_id = “**************”
}
listener “tcp” {
address = “0.0.0.0:8200”
tls_disable = false
tls_cert_file = “/vault/certs/vault.local.crt”
tls_key_file = “/vault/certs/vault.local.key”
tls_client_ca_file = “/vault/certs/ca.crt”
}
The error i am getting :
docker compose up
WARN[0000] /var/vault/docker-compose.yml: the attribute version is obsolete, it will be ignored, please remove it to avoid potential confusion
[+] up 2/2
✔ Network vault_default Created 0.5s
✔ Container vault-prod-single Created 2.7s
Attaching to vault-prod-single
vault-prod-single | 2025-12-30T10:22:32.667Z [INFO] proxy environment: http_proxy=“” https_proxy=“” no_proxy=“”
vault-prod-single | 2025-12-30T10:22:33.834Z [INFO] incrementing seal generation: generation=1
vault-prod-single | error: more than one enabled seal found
vault-prod-single exited with code 1 (restarting)
vault-prod-single | error: more than one enabled seal found
vault-prod-single | 2025-12-30T10:22:35.983Z [INFO] proxy environment: http_proxy=“” https_proxy=“” no_proxy=“”
vault-prod-single | 2025-12-30T10:22:37.178Z [INFO] incrementing seal generation: generation=1
vault-prod-single exited with code 1 (restarting)
vault-prod-single | error: more than one enabled seal found
vault-prod-single | 2025-12-30T10:22:38.767Z [INFO] proxy environment: http_proxy=“” https_proxy=“” no_proxy=“”
vault-prod-single | 2025-12-30T10:22:39.857Z [INFO] incrementing seal generation: generation=1
vault-prod-single exited with code 1 (restarting)
vault-prod-single | 2025-12-30T10:22:41.575Z [INFO] proxy environment: http_proxy=“” https_proxy=“” no_proxy=“”
vault-prod-single | 2025-12-30T10:22:42.692Z [INFO] incrementing seal generation: generation=1
vault-prod-single | error: more than one enabled seal found
vault-prod-single exited with code 1 (restarting)
vault-prod-single | error: more than one enabled seal found
vault-prod-single | 2025-12-30T10:22:44.111Z [INFO] proxy environment: http_proxy=“” https_proxy=“” no_proxy=“”
vault-prod-single | 2025-12-30T10:22:45.241Z [INFO] incrementing seal generation: generation=1
vault-prod-single exited with code 1 (restarting)
vault-prod-single | error: more than one enabled seal found
vault-prod-single | 2025-12-30T10:22:47.427Z [INFO] proxy environment: http_proxy=“” https_proxy=“” no_proxy=“”
vault-prod-single | 2025-12-30T10:22:48.569Z [INFO] incrementing seal generation: generation=1
vault-prod-single exited with code 1 (restarting)
Thanks for any insights!