AWS KMS not working for standalone mode

cse.deepaksingh · June 8, 2022, 7:27pm

Hi all,

I’m trying to set up a vault using helm chart, by default it runs in standalone mode.
During installation, we can pass the “-f example.yaml” file to override values. In that, I’m mentioning AWS-KMS config, but it’s not working.

Can someone please help me with this?


global:
  enabled: true

server:
 extraSecretEnvironmentVars:
   - envName: AWS_ACCESS_KEY_ID
     secretName: eks-creds
     secretKey: AWS_ACCESS_KEY_ID
   - envName: AWS_SECRET_ACCESS_KEY
     secretName: eks-creds
     secretKey: AWS_SECRET_ACCESS_KEY

     
standalone:
    enabled: true
    config: |
      ui = true

      listener "tcp" {
        tls_disable = 1
        address = "[::]:8200"
        cluster_address = "[::]:8201"
      }

      seal "awskms" {
        region     = "xx-xxxx-x"
        kms_key_id = "xxx-xxxx-xxx"
      }

aram · June 9, 2022, 9:01am

As a test embed the access and secret key into your seal stanza to see if there is an issue with your kub secret. You may have messed up the secretKey.

cse.deepaksingh · June 9, 2022, 9:12am

I have embedded the secret key in it. Now it works but the strange thing is when I’m doing vault operator init I’m getting the following error

“Error checking seal status: Get “https://127.0.0.1:8200/v1/sys/seal-status”: http: server gave HTTP response to HTTPS client”

aram · June 9, 2022, 10:06am

So

a) your kube secret, either secretName or secretKey is wrong.
b) You need to listen to http and not https on 127.0.0.1 and listen to https on your inbound engress.