AWS KMS Autounseal without IAM user


I see from the docs that you need to specify an access key and secret key in the Vault Helm Chart in order to authenticate against AWS KMS and perform the auto unsealing when launching the vault chart.

Is it there a way to not pass those IAM credentials and do it with a role for example? Is it there another option?



That’s the way I’m doing it; I just set the region and the key ID and give the EC2 node the relevant IAM role to get access to the key in KMS.

 seal "awskms" {
   region     = "${AWS_REGION}"
   kms_key_id = "${KMS_KEY_ID}"

Works perfectly.

Perfect then! Thanks.

Is it possible to leave the config section of the vault helm chart with env variables as you stated in your comment? Or do you have to put the hardcoded values in it.


Sorry; I don’t know anything about the Helm chart - I’m deploying using Terraform and those values are just substituted in my configuration during template evaluation.

Given the values are non-secret, there doesn’t seem to be much harm in including them directly in the config section; it’s entirely possible Helm has some way of meta-templating this but I don’t use it.

Ah great no problem then I’ll try it thanks!

One last question,

Do you know what happens if a secret changes in Vault? Will the application be aware? Do you have to restart the pod yourself to retrieve the new secret value?