Awskms for auto unseal implementation

Hi guys,

Last few days I’m playing around awskms for auto unseal for my first vault cluster in EKS, unfortunately it fails all the time.

I got a few questions regarding the feature, please help.

  1. Does the awskms auto seal works for open source version, or only a feature in enterprise version – if only for enterprise version, are there any cost/charge for feature investigation,

  2. I’ve mapped EKS service account ‘vault’ to AWS IAM role, the IAM Role has the capability to KMS keys, and in fact all KMS permissions – Is there an smaller/exact permission list for the IAM role?

  3. Where does the awskms feature store the ciphertext (of unseal root key), I’m using integrated storage / raft, how can I see the ciphertext? and how’s the ciphertext is synced from vault-0 pod to vault-1 and vault-2 pods?

  4. how to run debug to see what’s behind awskms transactions, for debugging awskms unseal setting, regular logs shows nothing. and ‘vault status’ says initialized but sealed.