Trying to get the integrated storage snapshot “agent” running and having problems using a named KMS key. For one, the documentation states that the parameter is aws_s3_server_kms_key
while the parameter in Vault shows aws_s3_kms_key
when reading the configuration at sys/storage/raft/snapshot-auto/config/
After writing the configuration, the value for the KMS key continues to show as n/a
. Snapshots are working correctly and being saved to my S3 bucket, but they are being encrypted with the default S3 key, which is not desirable.
I’ve tried using the full ARN, just the Key ID, or the key alias and the results are the same. I’ve also tried using both aws_s3_server_kms_key
and aws_s3_kms_key
to set the value, and neither works.
The configuration for the snapshot configuration is as follows:
vault write sys/storage/raft/snapshot-auto/config/hourly
interval=2m
retain=336
storage_type=aws-s3
aws_s3_bucket=xxxxxx-vault-snapshots
aws_s3_region=us-east-1
aws_s3_enable_kms=true
aws_s3_server_kms_key=hashicorp_vault_demo
Can we a) clarify if aws_s3_server_kms_key is indeed the correct parameter and b) figure out why Vault is not using the key as configured.