Trying to get the integrated storage snapshot “agent” running and having problems using a named KMS key. For one, the documentation states that the parameter is
aws_s3_server_kms_key while the parameter in Vault shows
aws_s3_kms_key when reading the configuration at sys/storage/raft/snapshot-auto/config/
After writing the configuration, the value for the KMS key continues to show as
n/a. Snapshots are working correctly and being saved to my S3 bucket, but they are being encrypted with the default S3 key, which is not desirable.
I’ve tried using the full ARN, just the Key ID, or the key alias and the results are the same. I’ve also tried using both
aws_s3_kms_key to set the value, and neither works.
The configuration for the snapshot configuration is as follows:
vault write sys/storage/raft/snapshot-auto/config/hourly
Can we a) clarify if aws_s3_server_kms_key is indeed the correct parameter and b) figure out why Vault is not using the key as configured.