Configuration for Vault Secret Engines on init

I am running a Vault cluster on Docker Swarm in an AWS VPC, using auto unseal with KMS. Are there recommended ways to configure Vault to use secret engines on initialization, such as using the PKI secrets engine for signed SSH certs. Is this done through API calls or an SDK? Is there another way to configure the cluster to not need operator intervention on start, or does an engineer need to manually intervene?

Thanks for any feedback.

Hi Jared! This is done by API calls. However, there are tools for making such API calls. One of them is Terraform, which has a Vault provider here. If you decide to use it, please do watch the Best Practices vid first so you know its security strategy and how to mitigate risk.