Azure KeyVault KMS Root Key Generation (boundary database init )

Boundary
1

Hi there Everyone,

While attempting to run the database init command to initialize the database and generate the KMS keys:

boundary database init -config /boundary/config.hcl

I get the following error:

Error parsing KMS configuration: error setting configuration on the kms plugin: rpc error: 

code = Unknown 
desc = error fetching Azure Key Vault wrapper key information: keyvault.BaseClient#GetKey: Failure responding to request: 
StatusCode=404 -- Original Error: autorest/azure: Service returned an error. 
Status=404 
Code="KeyNotFound" 
Message="A key with (name/id) root was not found in this key vault. If you recently deleted 
this key you may be able to recover it using the correct recovery command. For help 
resolving this issue, please see https://go.microsoft.com/fwlink/?linkid=2125182"

The following is my KMS configuration:

# Root KMS configuration block: this is the root key for Boundary
# Using Azure Key Vault
kms "azurekeyvault" {
  purpose  = "root"
  key_name = "root"
}

# Worker authorization KMS
# Using Azure Key Vault
kms "azurekeyvault" {
  purpose  = "worker-auth"
  key_name = "worker"
}

# Recovery KMS block: configures the recovery key for Boundary
# Using Azure Key Vault
kms "azurekeyvault" {
  purpose  = "recovery"
  key_name = "recovery"

}

The following items are exposed via environment variables:

# AZURE_TENANT_ID:                  Azure Tenant ID
# AZURE_CLIENT_ID:                  Azure App ID 
# AZURE_CLIENT_SECRET:              Azure App Password
# AZUREKEYVAULT_WRAPPER_VAULT_NAME: Key Vault Name
# BOUNDARY_POSTGRES_URL:            Postgres connection string

Any thoughts on why it doesn’t generate the root key ? Any help would be much appreciated. Thanks !

2

The KMS keys need to exist before you can use them with Boundary – it won’t create them. (I typically use Terraform to create the keys and then create and deploy the config files for the controllers and workers.)

The exception is when you run Boundary in dev mode – it will autogenerate hardcoded AEAD key strings instead of using a cloud KMS.

1 Like
3

Hi there @omkensey ,

Apologies - you’re right. I hadn’t done this in a couple of months and forgot the process :slight_smile: . For other’s reference, this is what I use:

# Create three keys for root, recovery, and worker
resource "azurerm_key_vault_key" "keys" {
  for_each     = toset(["root", "worker", "recovery"])
  name         = each.key
  key_vault_id = azurerm_key_vault.boundary.id
  key_type     = "RSA"
  key_size     = 2048

  key_opts = [
    "decrypt",
    "encrypt",
    "sign",
    "unwrapKey",
    "verify",
    "wrapKey",
  ]

  depends_on = [
    azurerm_key_vault.boundary, azurerm_key_vault_access_policy.pipeline_agents, azurerm_key_vault_access_policy.boundary, azurerm_key_vault_access_policy.ameer
  ]
}

The above code snippet is from a contribution from @ned1313 in the boundary reference architecture: boundary-reference-architecture/keyvault.tf at main · hashicorp/boundary-reference-architecture (github.com)

Thanks all !