Configuring Raft Snapshot Agent with KMS

Trying to get the integrated storage snapshot “agent” running and having problems using a named KMS key. For one, the documentation states that the parameter is aws_s3_server_kms_key while the parameter in Vault shows aws_s3_kms_key when reading the configuration at sys/storage/raft/snapshot-auto/config/

After writing the configuration, the value for the KMS key continues to show as n/a. Snapshots are working correctly and being saved to my S3 bucket, but they are being encrypted with the default S3 key, which is not desirable.

I’ve tried using the full ARN, just the Key ID, or the key alias and the results are the same. I’ve also tried using both aws_s3_server_kms_key and aws_s3_kms_key to set the value, and neither works.

The configuration for the snapshot configuration is as follows:

vault write sys/storage/raft/snapshot-auto/config/hourly
interval=2m
retain=336
storage_type=aws-s3
aws_s3_bucket=xxxxxx-vault-snapshots
aws_s3_region=us-east-1
aws_s3_enable_kms=true
aws_s3_server_kms_key=hashicorp_vault_demo

Can we a) clarify if aws_s3_server_kms_key is indeed the correct parameter and b) figure out why Vault is not using the key as configured.

1 Like

Hi @btkrausen,

This is a bug, it should be aws_s3_kms_key but the code that reads that param is looking for aws_s3_server_kms_key - but that param isn’t defined in the framework, so even if you provided it that wouldn’t help.

There’s a fix in the upcoming 1.6.1 release, which should be out soon. Thanks for bringing this to our attention!

2 Likes

Thanks so much @ncabatoff

1 Like

https://discuss.hashicorp.com/t/ann-vault-1-6-1-released/18968/2

The stage is yours. :sweat_smile:

2 Likes

A potentially related question, does the raft snapshotting agent support using Kubernetes service accounts (aws_web_identity_token) for accessing the S3 buckets?

I’d rather not have to create a AWS access key and secret key if I don’t have to. I made an attempt to see if it would indeed work, but at the moment the auto-snapshot is still reporting access denied.