Can vault be setup with read-only database


I have a setup that provides read-only access to vault storage backend (mysql). The primary instance already has write access to it and in another datacenter I want to start a standby instance . But looked like vault requires put /insert query

Error initializing storage of type mysql: failed to prepare "put": Error 1142: INSERT, UPDATE command denied to user '

Is there any other way around?


Are you talking about a standby node from the Enterprise or OSS version?

If you aren’t talking about the Enterprise version and their “performance standby” option then you should be aware that standby nodes don’t actually do anything until the leader fails. Once there is a failure one of them will take over, and therefore need full access to the underlying storage system.

With the OSS version requests to a standby node are just forwarded to the current leader node, so are solely useful for HA and don’t help with performance.

For that use case you need the Enterprise version. With that version there are also DR capabilities which might be what you are actually needing if you are talking about multiple data centres.

Hi @stuart-c ,

Thanks for your quick feedback. I’m using OSS version. In both datacenters vault instances were installed with the well known helm command. I don’t think these two vault instances can talk to each other.

The standby setup (in the 2nd datacenter) is used exactly for DR scenario, and it’s connecting to a replicated instance of our MySQL database. Readonly permission is provided and I’m expecting vault can just “read”.

Do you think it’s possible with my setup? If Enterprise version can support my setup that’d be great (and we would consider it). Any recommend is highly appreciated.

Thanks again.

No that’s not something the OSS version can do. I think you are wanting some of the features of the Enterprise version.

1 Like

Thank you very much for your clarification.

Even with Vault Enterprise, you still can’t point Vault nodes at a read only database replica.

In this scenario you would run an entirely separate data store in each site, and allow Vault to do the replication, not the database.

1 Like